Silverfort¶
About¶
Silverfort enables Multi-Factor Authentication (MFA), Risk-Based Authentication (RBA) and Zero Trust policies across all sensitive corporate and cloud assets, including systems that couldn’t be protected until today – without requiring any agents, proxies or code changes. In addition, Silverfort extends protection to interfaces and access tools that currently allow attackers to bypass all other MFA solutions (Remote PowerShell, PsExec, etc.)
Product Details¶
Vendor URL: Silverfort
Product Type: Identity/Access Management
Product Tier: Tier II
Integration Method: Syslog
Integration URL: [N/A]
Log Guide: [N/A]
Parser Details¶
Log Format: CEF
Expected Normalization Rate: Near 100%
Data Label: SILVERFORT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| app | principal.application |
| column2 | security_result.description |
| column3 | security_result.summary |
| cs1 | security_result.severity |
| cs1 | security_result.severity_details |
| cs2 | security_result.action |
| cs2 | security_result.action_details |
| cs3 | security_result.detection_fields.value |
| cs4 | security_result.rule_name |
| cs5 | security_result.detection_fields.value |
| cs6 | security_result.detection_fields.value |
| cs7 | security_result.detection_fields.value |
| description | metadata.description |
| destinationServiceName | target.application |
| dhost | target.hostname |
| dntdom | target.administrative_domain |
| dntdomain | target.administrative_domain |
| meta_type | metadata.product_event_type |
| observer_host | observer.hostname |
| shost | principal.hostname |
| sntdom | principal.administrative_domain |
| src | principal.ip |
| suser | principal.user.userid |
| version | metadata.product_version |
Product Event Types¶
| meta_type | metadata.event_type |
|---|---|
| all others | GENERIC_EVENT |
| Authentication | USER_LOGIN |
Log Sample¶
<134>Jan 6 19:37:11 observer CEF:0|Silverfort|Admin Console|4.0.102.0|Authentication|Authentication request|2|rt=01/06/2022 19:37:09.218 suser=svcacct sntdom=zone shost=hostname src=null destinationServiceName=n/a dhost=assetname dntdom=zone app=NTLM cs1Label=SilverfortReqRisk cs1=High cs2Label=SilverfortReqResult cs2=Allowed cs3Label=SilverfortPolicyAction cs3=n/a cs4Label=SilverfortPolicy cs4=n/a cs5Label=SilverfortMfaResponse cs5=n/a cs6Label=SilverfortMfaResponseTime cs6=n/a cs7Label=SilverfortReqRiskIndicators cs7=User is at critical risk,Service account interactive login,Privileged user,Suspected service account,Shared user
Sample Parsing¶
metadata.event_timestamp = "2022-01-06T19:37:11Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "vendor"
metadata.product_name = "Silverfort"
metadata.product_version = "4.0.102.0"
metadata.product_event_type = "Authentication"
metadata.description = "Authentication request"
metadata.ingested_timestamp = "2022-01-06T19:37:19.945978Z"
principal.hostname = "hostname"
principal.user.userid = "svcacct"
principal.administrative_domain = "zone"
principal.application = "NTLM"
principal.asset.hostname = "hostname"
target.hostname = "assetname"
target.administrative_domain = "zone"
target.application = "n/a"
target.asset.hostname = "assetname"
observer.hostname = "observer"
security_result.rule_name = "n/a"
security_result.summary = "Privileged user"
security_result.description = "Service account interactive login"
security_result.action = "ALLOW"
security_result.severity = "HIGH"
security_result.severity_details = "High"
security_result.action_details = "Allowed"
security_result.detection_fields.key = "SilverfortPolicyAction"
security_result.detection_fields.value = "n/a"
security_result.detection_fields.key = "SilverfortMfaResponse"
security_result.detection_fields.value = "n/a"
security_result.detection_fields.key = "SilverfortMfaResponseTime"
security_result.detection_fields.value = "n/a"
security_result.detection_fields.key = "SilverfortReqRiskIndicators"
security_result.detection_fields.value = "User is at critical risk,Service account interactive login,Privileged user,Suspected service account,Shared user"
extensions.auth.mechanism = "USERNAME_PASSWORD"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon