SecureLink¶
About¶
SecureLink protects mission critical systems and data with critical access management solutions.
Product Details¶
Vendor URL: SecureLink
Product Type: NAC
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Not available
Log Guide: N\A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: SECURELINK
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| REMOTE, OTP, USERNAME_PASSWORD, NETWORK | extensions.auth.mechanism |
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| inner_message | metadata.description |
| SecureLink | metadata.product_name |
| SecureLink | metadata.vendor_name |
| resource_name | network.application_protocol |
| http_method | network.http.method |
| uri | network.http.referral_url |
| response_code | network.http.response_code |
| user_agent | network.http.user_agent |
| TCP | network.ip_protocol |
| sessionId | network.session_id |
| host | principal.hostname |
| src_ip | principal.ip |
| port | principal.port |
| process_id | principal.process.pid |
| name | principal.user.display_name |
| email_address | principal.user.email_addresses |
| email_address | principal.user.email_addresses |
| username | principal.user.userid |
| ALLOW, BLOCK | security_result.action |
| AUTH_VIOLATION | security_result.category |
| action_description | security_result.description |
| ERROR, CRITICAL, INFORMATIONAL, LOW, MEDIUM, HIGH | security_result.severity |
| reason | security_result.summary |
| application | target.application |
| pwd | target.file.full_path |
| target_host | target.hostname |
| dst_ip | target.ip |
| command | target.process.command_line |
| SETTING | target.resource.type |
| username | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| ADMIN, CHROND | NETWORK_CONNECTION |
| ADMIN | SETTING_DELETION |
| ADMIN | SETTING_MODIFICATION |
| sshd, systemd, journal, suricata | STATUS_UPDATE |
| AUDIT, ADMIN | USER_CHANGE_PASSWORD |
| ADMIN | USER_CHANGE_PERMISSIONS |
| ADMIN | USER_CREATION |
| AUDIT, journal, sudo, sshd | USER_LOGIN |
| AUDIT, journal, sudo, sshd | USER_LOGOUT |
| ADMIN | USER_STATS |
| AUDIT, ADMIN, CHROND, systemd, sudo | USER_UNCATEGORIZED |
| all others | GENERIC_EVENT |
Log Sample¶
<83>Jul 24 21:03:50 hostname1 sshd[123456]: error: Received disconnect from 10.134.71.203 port 50467:3: com.securelink.jsch.JSchException: Auth fail [preauth]
Sample Parsing¶
extensions.auth.mechanism = "NETWORK"
extensions.auth.auth_details: "com.securelink.jsch.JSchException: Auth fail [preauth]"
metadata.description = "error: Received disconnect from 68.134.62.130 port 63072:3: com.securelink.jsch.JSchException: Auth fail [preauth]"
metadata.event_timestamp = 2023-07-24T21:03:50Z
metadata.event_type = "USER_LOGIN"
metadata.log_type = "SECURELINK"
metadata.product_name = "SecureLink"
metadata.vendor_name = "SecureLink"
principal.hostname = "hostname1"
security_result.action = "BLOCK"
target.application = "sshd"
target.ip = "10.134.71.203"
target.port = 50467
Rules¶
Coming Soon