RSA SecureID¶
About¶
SecurID provides powerful identity and access management capabilities for on-premise deployments – in authentication, access management, and identity governance – to fully protect organizations in a perimeterless world.
Product Details¶
Vendor URL: RSA SecureID Overview
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Configure Logging
Log Guide: Log Configuration Parameters
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: RSA_SECUREID
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
action | security_result.summary |
COMMAND | principal.process.command_line |
description | metadata.description |
observer | observer.hostname |
observer | principal.hostname |
observer | target.hostname |
path | target.process.file.full_path |
product_event | metadata.product_event |
reason | security_result.description |
target_host | target_hostname |
target_ip | target.ip |
USER | principal.user.userid |
username | principal.user.userid |
Product Event Types¶
message | UDM Event Classification |
---|---|
all others | GENERIC_EVENT |
expired password | STATUS_UNCATEGORIZED |
session closed | USER_LOGOUT |
session opened | USER_LOGIN |
sudo | USER_RESOURCE_ACCESS |
Log Sample¶
<86>Nov 8 20:39:54 hostname1 sudo: pam_unix(sudo:session): session opened for user johndoe by (uid=0)
Sample Parsing¶
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "RSA"
metadata.product_name = "Secure ID"
metadata.product_event_type = "sudo"
metadata.description = "pam_unix(sudo:session)"
principal.user.userid = "johndoe"
target.hostname = "hostname1"
target.asset.hostname = "hostname1"
observer.hostname = "hostname1"
security_result.summary = "session opened"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon