Skip to content

SecureAuth

SecureAuth

About

SecureAuth helps secure workforce and customer online identities for the world’s leading brands. SecureAuth’s products and services are developed around the core principle of our mission: Never compromise on security.

Product Details

Vendor URL: SecureAuth

Product Type: Authentication

Product Tier: Tier I

Integration Method: Syslog

Integration URL: n/a

Log Guide: SecureAuth Support

Parser Details

Log Format: Syslog

Data Label: SECUREAUTH_SSO

Expected Normalization Rate: 75%

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field UDM Event Type
vendor metadata.vendor_name All
product metadata.product_name All
version metadata.product_version All
product_event metadata.product_event_type All
Defined metadata.event_type All
src principal.hostname If Available
src principal.ip If Available
dst target.hostname If Available
dst target.ip If Available
dhost target.hostname If Available
dhost target.ip If Available
shost principal.hostname If Available
shost principal.ip If Available
ALLOW security_result.action If Available
USERNAME_PASSWORD extensions.auth.mechanism If Available
SecureAuthIdPApiResponseHTTPStatusCode network.http.response_code If Available
suser principal.user.userid If Available
SecureAuthIdPwstrustusername src.user.userid If Available
domain2 src.administrative_domain If Available
domain1 principal.administrative_domain If Available
tdomain target.administrative_domain If Available
request target.url If Available
SecureAuthIdPAppliance target.hostname If Available
SecureAuthIdPApplianceID additional.fields If Available
SecureAuthIdPCompanyID additional.fields If Available
SecureAuthIdPPEN additional.fields If Available
deviceFacility additional.fields If Available
cs1 additional.fields If Available
cs2 additional.fields If Available
cs3 additional.fields If Available
cs4 additional.fields If Available
cs5 additional.fields If Available
cfp1 additional.fields If Available
cfp2 additional.fields If Available
cfp3 additional.fields If Available
flexString1 additional.fields If Available
flexString2 additional.fields If Available
outcome additional.fields If Available
sourceServiceName principal.application If Available
deviceCustomDate1 additional.fields If Available
SecureAuthIdPApiResponseMessage additional.fields If Available
spid principal.process.pid If Available
msg metadata.description If Available
requestClientApplication network.http.user_agent If Available
LOW/MEDIUM/HIGH .security_result.severity If Available
cn1 additional.fields If Available
cs6 principal.location.country_or_region If Available
cs6 additional.fields If Available
STATUS_UPDATE metadata.event_type If Available
observer observer.hostname If Available
observer observer.ip If Available
cat security_result.category_details If Available

Product Event Types

Description metadata.event_type
System update (read certificate/license settings) STATUS_UPDATE
User state update STATUS_UPDATE
Service provider update (profile) STATUS_UPDATE
Service provider update (membership) STATUS_UPDATE
System update (status) STATUS_UPDATE
Post-authentication update STATUS_UPDATE
(unused) GENERIC_EVENT
API update STATUS_UPDATE
Analyze engine update (ae providers, geolocation/ipevaluation) STATUS_UPDATE

Log Sample

<86>Sep 15 10:27:26 10.10.10.20 CEF:0|SecureAuth|IdP|20.06.00.0|40601|Post-authentication update|2|cn1=1 cn1Label=Priority cfp1= cfp1Label=IPRiskScore cs1=cs1label cs1Label=BrowserSession cs2= cs2Label=AnalyzeEngineResult cs3=Company Inc. cs3Label=CompanyName cs4=cs4label cs4Label=RequestID cs5= cs5Label=RequestDuration cs6= cs6Label=UserCountryCode cat=AUDIT deviceCustomDate1=1631726846256 deviceCustomDate1Label=DeviceUTCTime outcome= deviceFacility=authpriv sourceServiceName=O365 - Basic Auth EXTERNAL dst=10.10.10.20 dvc=10.10.1020 spid=6740 msg=[WSTrustSecurityTokenService].[BeginIssue] Validating username: johndoe@companyname.com. Password True. requestClientApplication= src=10.10.10.186 suser=johndoe@companyname.com SecureAuthIdPAppliance=server SecureAuthIdPApplianceID=appliance SecureAuthIdPCompanyID=company SecureAuthIdPPEN=ppen

Sample Parsing

metadata.event_timestamp = "2021-09-15T17:27:26.256Z"
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "SecureAuth"
metadata.product_name = "IdP"
metadata.product_version = "20.06.00.0"
metadata.product_event_type = "Post-authentication update"
metadata.description = "[WSTrustSecurityTokenService].[BeginIssue] Validating username: johndoe@companyname.com. Password True."
metadata.ingested_timestamp = "2021-09-15T17:29:55.541363Z"
additional.BrowserSession = "cs1label"
additional.DeviceUTCTime = "163172684"
additional.SecureAuthIdPPEN = "ppen"
additional.RequestID = "cs4label"
additional.device_facility = "authpriv"
additional.IPRiskScore = ""
additional.SecureAuthIdPCompanyID = "company"
additional.SecureAuthIdPApplianceID = "appliance"
additional.CompanyName = "Company Inc"
additional.AnalyzeEngineResult = ""
additional.RequestDuration = ""
principal.hostname = "NULL"
principal.user.userid = "john.doe"
principal.process.pid = "6740"
principal.ip = "10.10.10.186"
principal.administrative_domain = "domainname.com"
principal.application = "O365 - Basic Auth EXTERNAL"
target.hostname = "secureauthserver"
target.ip = "10.10.10.20"
target.administrative_domain = "domainname"
observer.ip = "10.10.10.20"
security_result.category_details = "AUDIT"
security_result.severity = "LOW"

Parser Alerting

This product currently does not have any Parser-based Alerting