RSA SecureID¶
About¶
SecurID provides powerful identity and access management capabilities for on-premise deployments – in authentication, access management, and identity governance – to fully protect organizations in a perimeterless world.
Product Details¶
Vendor URL: RSA SecureID Overview
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Configure Logging
Log Guide: Log Configuration Parameters
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: RSA_SECUREID
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.summary |
| COMMAND | principal.process.command_line |
| description | metadata.description |
| observer | observer.hostname |
| observer | principal.hostname |
| observer | target.hostname |
| path | target.process.file.full_path |
| product_event | metadata.product_event |
| reason | security_result.description |
| target_host | target_hostname |
| target_ip | target.ip |
| USER | principal.user.userid |
| username | principal.user.userid |
Product Event Types¶
| message | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| expired password | STATUS_UNCATEGORIZED |
| session closed | USER_LOGOUT |
| session opened | USER_LOGIN |
| sudo | USER_RESOURCE_ACCESS |
Log Sample¶
<86>Nov 8 20:39:54 hostname1 sudo: pam_unix(sudo:session): session opened for user johndoe by (uid=0)
Sample Parsing¶
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "RSA"
metadata.product_name = "Secure ID"
metadata.product_event_type = "sudo"
metadata.description = "pam_unix(sudo:session)"
principal.user.userid = "johndoe"
target.hostname = "hostname1"
target.asset.hostname = "hostname1"
observer.hostname = "hostname1"
security_result.summary = "session opened"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon