Swift Alliance Messaging Hub¶
About¶
Alliance Messaging Hub (AMH) is a modular, multi-network, financial messaging solution. Fully customisable and highly resilient, it uses the latest technology to manage messages and files for various networks in parallel, providing extensive throughput and sophisticated data management.
Product Details¶
Vendor URL: Swift Alliance Messaging Hub
Product Type: financial messaging solution
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: SWIFT_AMH
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
custom logic | metadata.event_type |
cn1 | metadata.product_log_id |
static | metadata.product_name |
custom filter | metadata.product_version |
cat | metadata.product_event_type |
static | metadata.vendor_name |
custom filter | observer.hostname |
custom filter | observer.ip |
dvchost | principal.asset.hostname |
dvc | principal.asset.ip |
dvcmac | principal.asset.mac |
cs1 | principal.asset.product_object_id |
dvchost | principal.hostname |
dvc | principal.ip |
dvcmac | principal.mac |
deviceProcessName | principal.process.file.names |
custom logic | security_result.category_details |
custom filter | target.hostname |
custom filter | target.ip |
custom filter | target.port |
custom filter | target.url |
suid | target.user.userid |
Product Event Types¶
Event | UDM Event Classification |
---|---|
LdapProxy connection, Connection to host | NETWORK_CONNECTION |
signed on | USER_LOGIN |
signed off | USER_LOGOUT |
All Others | GENERIC_EVENT |
Log Sample¶
Oct 10 17:57:49 hostname1 process_name: CEF:0|SWIFT|Alliance Access|7.6.52|AAA-1000|Signoff|Low|cn1=11112222111 cn1Label=Event Sequence ID cn2=0 cn2Label=Is Alarm cs1=aaaaaa1-a382-2223-81v3-c3c16f155555 cs1Label=Instance UUID cs2=aaee00c0-7c8a-421c-a6ec-22414fa0d0bc cs2Label=Correlation ID cs4=aaalNGVleQ6Ku2u3WfaaaNHLR0LGm111x+i6NMNgp2naa cs4Label=Session ID cs5=Security cs5Label=Event Type cat=Operator msg=Operator username1 : signed off from the terminal '10.0.0.1'. suid=username1 dvchost=hostname1 dvc=10.0.0.2 dvcmac=00:a0:e6:cf:0a:2d deviceProcessName=process_name src=10.0.0.1 dtz=America/New_York rt=1665439069000
Sample Parsing¶
metadata.event_type = "USER_LOGOUT"
metadata.vendor_name = "Swift"
metadata.product_name = "Alliance Web Platform"
metadata.product_version = "7.6.52"
metadata.product_event_type = "Operator"
principal.hostname = "hostname1"
principal.process.file.names = "process_name"
principal.ip = "10.0.0.2"
principal.mac = "00:a0:e6:cf:0a:2d"
principal.asset.product_object_id = "aaaaaa1-a382-2223-81v3-c3c16f155555"
principal.asset.hostname = "hostname1"
principal.asset.ip = "10.0.0.2"
principal.asset.mac = "00:a0:e6:cf:0a:2d"
target.user.userid = "username1"
target.ip = "10.0.0.1"
target.asset.ip = "10.0.0.1"
observer.hostname = "hostname1"
security_result.category_details = "Signoff"
security_result.description = "Operator username1 : signed off from the terminal '10.0.0.1'."
security_result.severity = "LOW"
Parser Alerting¶
No parser-based alerting exists.
Rules¶
Coming Soon