Skip to content

RSA SecurID

RSA SecurID

About

SecurID provides powerful identity and access management capabilities for on-premise deployments – in authentication, access management, and identity governance – to fully protect organizations in a perimeterless world.

Product Details

Vendor URL: RSA SecureID Overview

Product Type: Identity and Access Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Configure Logging

Log Guide: API Developer's Guide

Parser Details

Log Format: Syslog + CSV

Expected Normalization Rate: 98%

Data Label: RSA_SECURID

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
action security_result.description
application target.application
audit_section metadata.product_event_type
CLIENT_ID principal.hostname
CODE security_result.description
column1 security_result.severity
column10 network.session_id
column11 target.resource.product_object_id
column12 principal.resource.attribute.labels
column13 principal.resource.attribute.labels
column15 principal.user.userid
column16 principal.user.first_name
column17 principal.user.last_name
column18 security_result.summary
column2 metadata.product_log_id
column20 principal.hostname
column22 additional.fields
column23 additional.fields
column24 additional.fields
column27 target.user.userid
column4 principal.ip
column5 target.ip
column6 security_result.rule_name
column8 security_result.action
column9 security_result.category_details
command target.process.command_line
description metadata.description
hostname observer.ip
hostname observer.hostname
IDENTITY_SOURCES principal_ip
IN_RESPONSE_TO security_result.about.asset.product_object_id
NAS_IP_ADDRESS intermediary.ip
POLICY_ID security_result.rule_name
process_id principal.process.pid
PWD target.process.file.full_path
RADIUS_RESPONSE_TYPE security_result.action_details
REQUEST_ID metadata.product_log_id
sessionId network.session_id
SOURCE_IP_ADDRESS principal.ip
srcUser principal.user.userid
STATUS security_result.action
TENANT_ID principal.resource.name
url target.url
USER_NAME target.user.email_addresses
USER_NAME target.administrative_domain
USER_NAME target.user.userid
username1 target.user.userid
version metadata.product_version

Product Event Types

Event UDM Event Classification
"Started User Manager","Stopped User Manager","Stopping User Manager" USER_UNCATEGORIZED
Network events NETWORK_CONNECTION
Other STATUS_UPDATE
Received .*from PROCESS_TERMINATION
session closed USER_LOGOUT
session opened USER_LOGIN
Starting SERVICE_START
Stopping SERVICE_STOP

Log Sample

<110>1 2024-07-10T17:40:51Z 10.0.0.0 SINGLEPOINT 2281 RADIUS_USER_SECURID_AUTHENTICATION [SINGLEPOINT@34162 STATUS="SUCCESS" CLIENT_ID="RADIUS: EXAMPLE_HOST" IN_RESPONSE_TO="abc12345-0073-4ca1-ad62-94fdcf0f4abe" DESCRIPTION="RADIUS – SecurID authentication succeeded." SOURCE-IP-ADDRESS="0.0.0.0" RADIUS_RESPONSE_TYPE="Access-Accept" TENANT_ID="example_co" USER_NAME="JOHNDOE" REQUEST_ID="abc12345-0073-4ca1-ad62-94fdcf0f4abe" NAS-IP-ADDRESS="0.0.0.0" POLICY_ID="All Users Low Assurance Level"] RADIUS – SecurID authentication succeeded.

Sample Parsing

intermediary.application = "SINGLEPOINT"
intermediary.ip = "0.0.0.0"
metadata.description = "RADIUS – SecurID authentication succeeded."
metadata.log_type = "RSA_SECURID"
metadata.product_event_type = "RADIUS_USER_SECURID_AUTHENTICATION"
metadata.product_log_id = "abc12345-0073-4ca1-ad62-94fdcf0f4abe"
metadata.product_name = "RSA SECURID"
metadata.vendor_name = "RSA"
observer.ip = "10.0.0.0"
principal.hostname = "EXAMPLE_HOST"
principal.ip = "0.0.0.0"
principal.process.pid = "2281"
principal.resource.name = "example_co"
security_result.about.asset.product_object_id = "abc12345-0073-4ca1-ad62-94fdcf0f4abe"
security_result.action_details = "Access-Accept"
security_result.action = "ALLOW"
security_result.rule_name = "All Users Low Assurance Level"
target.user.userid = "JOHNDOE"