Skip to content

Silverfort

Silverfort

About

Silverfort enables Multi-Factor Authentication (MFA), Risk-Based Authentication (RBA) and Zero Trust policies across all sensitive corporate and cloud assets, including systems that couldn’t be protected until today – without requiring any agents, proxies or code changes. In addition, Silverfort extends protection to interfaces and access tools that currently allow attackers to bypass all other MFA solutions (Remote PowerShell, PsExec, etc.)

Product Details

Vendor URL: Silverfort

Product Type: Identity/Access Management

Product Tier: Tier II

Integration Method: Syslog

Integration URL: [N/A]

Log Guide: [N/A]

Parser Details

Log Format: CEF

Expected Normalization Rate: Near 100%

Data Label: SILVERFORT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
app principal.application
column2 security_result.description
column3 security_result.summary
cs1 security_result.severity
cs1 security_result.severity_details
cs2 security_result.action
cs2 security_result.action_details
cs3 security_result.detection_fields.value
cs4 security_result.rule_name
cs5 security_result.detection_fields.value
cs6 security_result.detection_fields.value
cs7 security_result.detection_fields.value
description metadata.description
destinationServiceName target.application
dhost target.hostname
dntdom target.administrative_domain
dntdomain target.administrative_domain
meta_type metadata.product_event_type
observer_host observer.hostname
shost principal.hostname
sntdom principal.administrative_domain
src principal.ip
suser principal.user.userid
version metadata.product_version

Product Event Types

meta_type metadata.event_type
all others GENERIC_EVENT
Authentication USER_LOGIN

Log Sample

<134>Jan  6 19:37:11 observer CEF:0|Silverfort|Admin Console|4.0.102.0|Authentication|Authentication request|2|rt=01/06/2022 19:37:09.218 suser=svcacct sntdom=zone shost=hostname src=null destinationServiceName=n/a dhost=assetname dntdom=zone app=NTLM cs1Label=SilverfortReqRisk cs1=High cs2Label=SilverfortReqResult cs2=Allowed cs3Label=SilverfortPolicyAction cs3=n/a cs4Label=SilverfortPolicy cs4=n/a cs5Label=SilverfortMfaResponse cs5=n/a cs6Label=SilverfortMfaResponseTime cs6=n/a cs7Label=SilverfortReqRiskIndicators cs7=User is at critical risk,Service account interactive login,Privileged user,Suspected service account,Shared user

Sample Parsing

metadata.event_timestamp = "2022-01-06T19:37:11Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "vendor"
metadata.product_name = "Silverfort"
metadata.product_version = "4.0.102.0"
metadata.product_event_type = "Authentication"
metadata.description = "Authentication request"
metadata.ingested_timestamp = "2022-01-06T19:37:19.945978Z"
principal.hostname = "hostname"
principal.user.userid = "svcacct"
principal.administrative_domain = "zone"
principal.application = "NTLM"
principal.asset.hostname = "hostname"
target.hostname = "assetname"
target.administrative_domain = "zone"
target.application = "n/a"
target.asset.hostname = "assetname"
observer.hostname = "observer"
security_result.rule_name = "n/a"
security_result.summary = "Privileged user"
security_result.description = "Service account interactive login"
security_result.action = "ALLOW"
security_result.severity = "HIGH"
security_result.severity_details = "High"
security_result.action_details = "Allowed"
security_result.detection_fields.key = "SilverfortPolicyAction"
security_result.detection_fields.value = "n/a"
security_result.detection_fields.key = "SilverfortMfaResponse"
security_result.detection_fields.value = "n/a"
security_result.detection_fields.key = "SilverfortMfaResponseTime"
security_result.detection_fields.value = "n/a"
security_result.detection_fields.key = "SilverfortReqRiskIndicators"
security_result.detection_fields.value = "User is at critical risk,Service account interactive login,Privileged user,Suspected service account,Shared user"
extensions.auth.mechanism = "USERNAME_PASSWORD"

Parser Alerting

This product currently does not have any Parser-based Alerting