SecureAuth¶
About¶
SecureAuth helps secure workforce and customer online identities for the world’s leading brands. SecureAuth’s products and services are developed around the core principle of our mission: Never compromise on security.
Product Details¶
Vendor URL: SecureAuth
Product Type: Authentication
Product Tier: Tier I
Integration Method: Syslog
Integration URL: n/a
Log Guide: SecureAuth Support
Parser Details¶
Log Format: Syslog
Data Label: SECUREAUTH_SSO
Expected Normalization Rate: 75%
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field | UDM Event Type |
---|---|---|
vendor | metadata.vendor_name | All |
product | metadata.product_name | All |
version | metadata.product_version | All |
product_event | metadata.product_event_type | All |
Defined | metadata.event_type | All |
src | principal.hostname | If Available |
src | principal.ip | If Available |
dst | target.hostname | If Available |
dst | target.ip | If Available |
dhost | target.hostname | If Available |
dhost | target.ip | If Available |
shost | principal.hostname | If Available |
shost | principal.ip | If Available |
ALLOW | security_result.action | If Available |
USERNAME_PASSWORD | extensions.auth.mechanism | If Available |
SecureAuthIdPApiResponseHTTPStatusCode | network.http.response_code | If Available |
suser | principal.user.userid | If Available |
SecureAuthIdPwstrustusername | src.user.userid | If Available |
domain2 | src.administrative_domain | If Available |
domain1 | principal.administrative_domain | If Available |
tdomain | target.administrative_domain | If Available |
request | target.url | If Available |
SecureAuthIdPAppliance | target.hostname | If Available |
SecureAuthIdPApplianceID | additional.fields | If Available |
SecureAuthIdPCompanyID | additional.fields | If Available |
SecureAuthIdPPEN | additional.fields | If Available |
deviceFacility | additional.fields | If Available |
cs1 | additional.fields | If Available |
cs2 | additional.fields | If Available |
cs3 | additional.fields | If Available |
cs4 | additional.fields | If Available |
cs5 | additional.fields | If Available |
cfp1 | additional.fields | If Available |
cfp2 | additional.fields | If Available |
cfp3 | additional.fields | If Available |
flexString1 | additional.fields | If Available |
flexString2 | additional.fields | If Available |
outcome | additional.fields | If Available |
sourceServiceName | principal.application | If Available |
deviceCustomDate1 | additional.fields | If Available |
SecureAuthIdPApiResponseMessage | additional.fields | If Available |
spid | principal.process.pid | If Available |
msg | metadata.description | If Available |
requestClientApplication | network.http.user_agent | If Available |
LOW/MEDIUM/HIGH | .security_result.severity | If Available |
cn1 | additional.fields | If Available |
cs6 | principal.location.country_or_region | If Available |
cs6 | additional.fields | If Available |
STATUS_UPDATE | metadata.event_type | If Available |
observer | observer.hostname | If Available |
observer | observer.ip | If Available |
cat | security_result.category_details | If Available |
Product Event Types¶
Description | metadata.event_type |
---|---|
System update (read certificate/license settings) | STATUS_UPDATE |
User state update | STATUS_UPDATE |
Service provider update (profile) | STATUS_UPDATE |
Service provider update (membership) | STATUS_UPDATE |
System update (status) | STATUS_UPDATE |
Post-authentication update | STATUS_UPDATE |
(unused) | GENERIC_EVENT |
API update | STATUS_UPDATE |
Analyze engine update (ae providers, geolocation/ipevaluation) | STATUS_UPDATE |
Log Sample¶
<86>Sep 15 10:27:26 10.10.10.20 CEF:0|SecureAuth|IdP|20.06.00.0|40601|Post-authentication update|2|cn1=1 cn1Label=Priority cfp1= cfp1Label=IPRiskScore cs1=cs1label cs1Label=BrowserSession cs2= cs2Label=AnalyzeEngineResult cs3=Company Inc. cs3Label=CompanyName cs4=cs4label cs4Label=RequestID cs5= cs5Label=RequestDuration cs6= cs6Label=UserCountryCode cat=AUDIT deviceCustomDate1=1631726846256 deviceCustomDate1Label=DeviceUTCTime outcome= deviceFacility=authpriv sourceServiceName=O365 - Basic Auth EXTERNAL dst=10.10.10.20 dvc=10.10.1020 spid=6740 msg=[WSTrustSecurityTokenService].[BeginIssue] Validating username: johndoe@companyname.com. Password True. requestClientApplication= src=10.10.10.186 suser=johndoe@companyname.com SecureAuthIdPAppliance=server SecureAuthIdPApplianceID=appliance SecureAuthIdPCompanyID=company SecureAuthIdPPEN=ppen
Sample Parsing¶
metadata.event_timestamp = "2021-09-15T17:27:26.256Z"
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "SecureAuth"
metadata.product_name = "IdP"
metadata.product_version = "20.06.00.0"
metadata.product_event_type = "Post-authentication update"
metadata.description = "[WSTrustSecurityTokenService].[BeginIssue] Validating username: johndoe@companyname.com. Password True."
metadata.ingested_timestamp = "2021-09-15T17:29:55.541363Z"
additional.BrowserSession = "cs1label"
additional.DeviceUTCTime = "163172684"
additional.SecureAuthIdPPEN = "ppen"
additional.RequestID = "cs4label"
additional.device_facility = "authpriv"
additional.IPRiskScore = ""
additional.SecureAuthIdPCompanyID = "company"
additional.SecureAuthIdPApplianceID = "appliance"
additional.CompanyName = "Company Inc"
additional.AnalyzeEngineResult = ""
additional.RequestDuration = ""
principal.hostname = "NULL"
principal.user.userid = "john.doe"
principal.process.pid = "6740"
principal.ip = "10.10.10.186"
principal.administrative_domain = "domainname.com"
principal.application = "O365 - Basic Auth EXTERNAL"
target.hostname = "secureauthserver"
target.ip = "10.10.10.20"
target.administrative_domain = "domainname"
observer.ip = "10.10.10.20"
security_result.category_details = "AUDIT"
security_result.severity = "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting