SecureAuth¶
About¶
SecureAuth helps secure workforce and customer online identities for the world’s leading brands. SecureAuth’s products and services are developed around the core principle of our mission: Never compromise on security.
Product Details¶
Vendor URL: SecureAuth
Product Type: Authentication
Product Tier: Tier I
Integration Method: Syslog
Integration URL: n/a
Log Guide: SecureAuth Support
Parser Details¶
Log Format: Syslog
Data Label: SECUREAUTH_SSO
Expected Normalization Rate: 75%
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| vendor | metadata.vendor_name | All |
| product | metadata.product_name | All |
| version | metadata.product_version | All |
| product_event | metadata.product_event_type | All |
| Defined | metadata.event_type | All |
| src | principal.hostname | If Available |
| src | principal.ip | If Available |
| dst | target.hostname | If Available |
| dst | target.ip | If Available |
| dhost | target.hostname | If Available |
| dhost | target.ip | If Available |
| shost | principal.hostname | If Available |
| shost | principal.ip | If Available |
| ALLOW | security_result.action | If Available |
| USERNAME_PASSWORD | extensions.auth.mechanism | If Available |
| SecureAuthIdPApiResponseHTTPStatusCode | network.http.response_code | If Available |
| suser | principal.user.userid | If Available |
| SecureAuthIdPwstrustusername | src.user.userid | If Available |
| domain2 | src.administrative_domain | If Available |
| domain1 | principal.administrative_domain | If Available |
| tdomain | target.administrative_domain | If Available |
| request | target.url | If Available |
| SecureAuthIdPAppliance | target.hostname | If Available |
| SecureAuthIdPApplianceID | additional.fields | If Available |
| SecureAuthIdPCompanyID | additional.fields | If Available |
| SecureAuthIdPPEN | additional.fields | If Available |
| deviceFacility | additional.fields | If Available |
| cs1 | additional.fields | If Available |
| cs2 | additional.fields | If Available |
| cs3 | additional.fields | If Available |
| cs4 | additional.fields | If Available |
| cs5 | additional.fields | If Available |
| cfp1 | additional.fields | If Available |
| cfp2 | additional.fields | If Available |
| cfp3 | additional.fields | If Available |
| flexString1 | additional.fields | If Available |
| flexString2 | additional.fields | If Available |
| outcome | additional.fields | If Available |
| sourceServiceName | principal.application | If Available |
| deviceCustomDate1 | additional.fields | If Available |
| SecureAuthIdPApiResponseMessage | additional.fields | If Available |
| spid | principal.process.pid | If Available |
| msg | metadata.description | If Available |
| requestClientApplication | network.http.user_agent | If Available |
| LOW/MEDIUM/HIGH | .security_result.severity | If Available |
| cn1 | additional.fields | If Available |
| cs6 | principal.location.country_or_region | If Available |
| cs6 | additional.fields | If Available |
| STATUS_UPDATE | metadata.event_type | If Available |
| observer | observer.hostname | If Available |
| observer | observer.ip | If Available |
| cat | security_result.category_details | If Available |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| System update (read certificate/license settings) | STATUS_UPDATE |
| User state update | STATUS_UPDATE |
| Service provider update (profile) | STATUS_UPDATE |
| Service provider update (membership) | STATUS_UPDATE |
| System update (status) | STATUS_UPDATE |
| Post-authentication update | STATUS_UPDATE |
| (unused) | GENERIC_EVENT |
| API update | STATUS_UPDATE |
| Analyze engine update (ae providers, geolocation/ipevaluation) | STATUS_UPDATE |
Log Sample¶
<86>Sep 15 10:27:26 10.10.10.20 CEF:0|SecureAuth|IdP|20.06.00.0|40601|Post-authentication update|2|cn1=1 cn1Label=Priority cfp1= cfp1Label=IPRiskScore cs1=cs1label cs1Label=BrowserSession cs2= cs2Label=AnalyzeEngineResult cs3=Company Inc. cs3Label=CompanyName cs4=cs4label cs4Label=RequestID cs5= cs5Label=RequestDuration cs6= cs6Label=UserCountryCode cat=AUDIT deviceCustomDate1=1631726846256 deviceCustomDate1Label=DeviceUTCTime outcome= deviceFacility=authpriv sourceServiceName=O365 - Basic Auth EXTERNAL dst=10.10.10.20 dvc=10.10.1020 spid=6740 msg=[WSTrustSecurityTokenService].[BeginIssue] Validating username: johndoe@companyname.com. Password True. requestClientApplication= src=10.10.10.186 suser=johndoe@companyname.com SecureAuthIdPAppliance=server SecureAuthIdPApplianceID=appliance SecureAuthIdPCompanyID=company SecureAuthIdPPEN=ppen
Sample Parsing¶
metadata.event_timestamp = "2021-09-15T17:27:26.256Z"
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "SecureAuth"
metadata.product_name = "IdP"
metadata.product_version = "20.06.00.0"
metadata.product_event_type = "Post-authentication update"
metadata.description = "[WSTrustSecurityTokenService].[BeginIssue] Validating username: johndoe@companyname.com. Password True."
metadata.ingested_timestamp = "2021-09-15T17:29:55.541363Z"
additional.BrowserSession = "cs1label"
additional.DeviceUTCTime = "163172684"
additional.SecureAuthIdPPEN = "ppen"
additional.RequestID = "cs4label"
additional.device_facility = "authpriv"
additional.IPRiskScore = ""
additional.SecureAuthIdPCompanyID = "company"
additional.SecureAuthIdPApplianceID = "appliance"
additional.CompanyName = "Company Inc"
additional.AnalyzeEngineResult = ""
additional.RequestDuration = ""
principal.hostname = "NULL"
principal.user.userid = "john.doe"
principal.process.pid = "6740"
principal.ip = "10.10.10.186"
principal.administrative_domain = "domainname.com"
principal.application = "O365 - Basic Auth EXTERNAL"
target.hostname = "secureauthserver"
target.ip = "10.10.10.20"
target.administrative_domain = "domainname"
observer.ip = "10.10.10.20"
security_result.category_details = "AUDIT"
security_result.severity = "LOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon