OpenAM¶
About¶
OpenAM provides an infrastructure for managing users, roles, and access to resources, and centralizes access control by handling both authentication and authorization.
Product Details¶
Vendor URL: OpenAM
Product Type: Identity/Access Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: CSV and KV
Expected Normalization Rate: near 100%
Data Label: OPENAM
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
Statically Defined | extensions.auth.type |
eventName | metadata.product_event_type |
description | metadata.description |
ad.trackingIds | metadata.product_log_id |
Statically Defined | metadata.product_name |
Statically Defined | metadata.vendor_name |
shost | principal.hostname |
src_ip, client.ip, info.ipAddress | principal.ip |
client.port | principal.port |
nodeId | principal.resource.id |
treeName | principal.resource.name |
authLevel | principal.resource.resource_subtype |
nodeType | principal.resource.type |
am_user | principal.user.email_addresses |
am_group | principal.user.group_identifiers |
am_user | principal.user.userid |
dhost | target.hostname |
dst, serverip | target.ip |
serverport | target.port |
loginId, am_user | target.user.email_addresses |
am_group | target.user.group_identifiers |
am_user | target.user.userid |
Statically Defined | network.application_protocol |
requestMethod | network.http.method |
request | network.http.referral_url |
user-agent | network.http.user_agent |
Product Event Types¶
Product Event | Description | UDM Event |
---|---|---|
AM-LOGIN | USER_LOGIN | |
AM-SESSION-CREATED | USER_LOGIN | |
AM-TREE-LOGIN-COMPLETED | USER_LOGIN | |
AM-NODE-LOGIN-COMPLETED | USER_LOGIN | |
AM_LOGOUT | USER_LOGOUT | |
AM-SESSION-DESTROYED | USER_LOGOUT | |
AM-SESSION-IDLE_TIMED_OUT | USER_LOGOUT | |
AM-SESSION-LOGGED_OUT | USER_LOGOUT | |
AM-NODE | USER_UNCATEGORIZED | |
AM-ACCESS-OUTCOME | NETWORK_HTTP | |
Default | src_ip not empty | STATUS_UPDATE |
Default | All other events | GENERIC_EVENT |
Log Sample¶
Jul 25 15:50:13 10.10.10.10 CEF: 0|ForgeRock|OpenAM|||AM-TREE-LOGIN-COMPLETED|Unknown| eventId=eventid externalId=externalid art=1658778613794 rt=1658778613794 outcome=SUCCESSFUL shost=shost.com src=10.10.10.10 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 sntdom=/associates suser=user destinationServiceName=Authentication cs2={"info":{"treeName":"Kerberos","ipAddress":"10.10.10.10","authLevel":"0"}} cs5=0 cs6=transactionId\=#transactionid# userId\=#id\=user, result\=#SUCCESSFUL# principal\=#["pr_user"]# context\=## entries\=#[{"info":{"treeName":"Kerberos","ipAddress":"10.10.10.10","authLevel":"0"}}]# component\=#Authentication# realm\=#/associates# cs1Label=Context cs2Label=Entries cs3Label=Auth Control Flag cs5Label=Auth Level flexString1Label=Node Outcome ahost=ahostname agt=10.10.10.10 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=macAddress av=7.15.0.8295.0 atz=CST6CDT at=syslog ad.trackingIds=["trackingIds"] ad.TreeName=Kerberos ad.externalId=ad.externalid_value aid=aid_value
Sample Parsing¶
intermediary.ip = "10.10.10.10"
metadata.product_event_type = "AM-TREE-LOGIN-COMPLETED"
metadata.description = "Tree login completed"
metadata.event_timestamp = "1658764213"
metadata.vendor_name = "ForgeRock"
metadata.product_name = "OpenAM"
metadata.event_type = "USER_LOGIN"
metadata.product_log_id = "trackingIds"
principal.hostname = shost.com
target.user.userid = "user"
security_result.action = "ALLOW"
security_result.action_details = "#SUCCESSFUL#"
extensions.auth.type = "SSO"
Parser Alerting¶
This product currently does not have any Parser-based Alerting