Segura collects information and events from the environment to monitor various product metrics, including table identifiers and the status of running robots. This data can be sent to SIEM solutions for monitoring.
SIEM solutions provide a comprehensive view for Information Security administrators, allowing them to monitor activities in the IT environment through log data. SIEM uses these records to identify, categorize, and analyze incidents and events, generating security reports that cover suspicious or malicious activities.
Additionally, SIEM can send alerts through different channels such as SMS, instant messaging, email, and ticket opening if it detects potential security threats based on established configuration rules.
Alerts sent by Segura include:
- User authentication on the device.
- Remote login on the device.
- Failures in the Segura server.
- Password expiration.
Segura is compatible with the most used SIEM tools on the market and offers support for sending messages in the following formats:
- CEF
- Syslog (RFC 5424)
- Sensage
CEF messages
CEF is a message format created to standardize the sending of information to SIEM and follows the order CEF:0|MT4|Segura|3.27.0-4|336.501|UPDATE INCIDENT|9|Extensions.
| Field | Description | Example Value |
|---|---|---|
| Version | The version of the CEF format. | 0 |
| Vendor | The name of the company responsible for the product. | MT4 |
| Product | The name of the product generating the event. | Segura |
| Product version | The product version. | 3.27.0-4 |
| Event ID | The ID of the event that occurred. Each ID is unique to identify the event. | 336501 |
| Event name | The type of event that occurred. Indicates the nature of the event (e.g., "Update Incident"). | Update Incident |
| Severity | The severity of the event that occurred. Ranges from 1 (least severe) to 10 (most severe). | 9 |
Furthermore, the system presents a list of extensions that provide detailed information about the event.
RFC 5424 messages
Segura also supports syslog files that follow the RFC 5424 standard. The header of this message format contains the following fields:
- priority: according to event type
- facility: 1 (user)
- App: Segura
- procid: PID of the current process
- message: event message
Supported messages
These are some of the message formats that are native to Segura and can be exported to an external SIEM solution:
Messages Type (SUID)
| SUID | Events |
|---|---|
| 8 | Loss / Recovered Connectivity |
| 9 | Password rotation |
| 15 | Backup complete |
| 17 | Password changed |
| 153 | Session Started / Ended |
| 164 | Password visualization |
| dst | IP adress of the event's target device |
| dhost | Hostname of the device affected by the event |
Backup
| Key | Example | Description |
|---|---|---|
| msg | Backup sent to server ’localhost:/srv/backup’ via local | |
| suid | Message Type | |
| sname | Asynchronous Script: 8 | Backup Script ID |
| suser | Not applicable | |
| spid | Notification's Unique ID | |
| dhost | localhost | Name of the backup server |
Lost Connectivity
| Key | Example | Description |
|---|---|---|
| msg | Localhost appliance (127.0.0.1) has lost SSH connectivity | |
| suid | Message Type | |
| sname | Asynchronous Script9 | Name of user who has lost connectivity |
| suser | Not applicable | |
| spid | Notification's Unique ID | |
| dst | .0.1 | Device's IP address |
| dhost | localhost | Name of the backup server |
| dport | Device’s Port |
Restored Connectivity
| Key | Example | Description |
|---|---|---|
| msg | Localhost appliance (127.0.0.1) has recovered SSH connectivity | |
| suid | Message Type | |
| sname | Asynchronous Script: 9 | Name of the user whose connection was lost |
| suser | Not applicable | |
| spid | Notification's Unique ID | |
| dst | .0.1 | Device's IP address |
| dhost | localhost | Name of the backup server |
| dport | Device’s Port |
Password changed
| Key | Example | Description |
|---|---|---|
| msg | Password localhost (127.0.0.1) - Domain User - root changed by user stlee | Event message |
| suid | Notification's Unique ID | |
| sname | Stephen Lee | User that changed the password |
| suser | Not applicable | |
| spid | Notification's Unique ID | |
| duser | root | Username of the changed password |
| duid | Not applicable | |
| dst | .0.1 | Device's IP address |
| dhost | localhost | Name of the password's device |
Password visualization
| Key | Example | Description |
|---|---|---|
| msg | Password localhost (127.0.0.1) - Domain User - root changed by user stlee | Event message |
| suid | Message Type | |
| sname | Stephen Lee | User that viewed the password |
| suser | Not applicable | |
| spid | Notification's Unique ID | |
| duser | root duid=35 | Username of the password |
| dst | .0.1 | IP address of the password's device |
| dhost | localhost | Name of the password's device |
Session Ended
| Key | Example | Description |
|---|---|---|
| msg | Session terminated for localhost (127.0.0.1) - Privileged Domain User - srv_admin by the user Stephen Lee (stlee) | Event message |
| suid | Message type | |
| sname | Stephen Lee | User that terminated the session |
| suser | stlee | Login details of the user that terminated the session |
| spid | Notification's Unique ID | |
| dst | .0.1 | Device’s IP address |
| dport | Device’s Port | |
| duser | srv_admin | Login used in the remote session |
Session Started
| Key | Example | Description |
|---|---|---|
| msg | Session started for localhost (127.0.0.1) - Privileged Domain User - root by the user Stephen Lee (stlee) | Event message |
| suid | Message type | |
| sname | Stephen Lee | User login details |
| suser | stlee | Login details of the user that started the session |
| spid | Notification's Unique ID | |
| dst | .0.1 | Device’s IP address |
| dpt | Device’s Port | |
| duser | root | Login used in the remote session |
Exchange performed
| Key | Example | Description |
|---|---|---|
| msg | Session terminated for localhost (127.0.0.1) - Privileged Domain User - by the user Stephen Lee (stlee) | Event message |
| suid | Message Type | |
| sname | Asynchronous Script: 17 | Password change script ID |
| suser | Not applicable | |
| spid | Message type | |
| dst | .0.1 | Device’s IP address |
| duser | root | User associated with the changed password |
Command Execution and Auditing
| Key | Example | Description |
|---|---|---|
| msg | An audited command has been detected! Action: ”[system action]” | Event message |
| suid | User logged in | |
| sname | Stephen Lee | User that started the session |
| suser | stlee | Login details of the user that started the session |
| spid | Not applicable | |
| dst | Not applicable | |
| dpt | Not applicable | |
| duser | Not applicable |
Privileged Information visualization
| Key | Example | Description |
|---|---|---|
| msg | Access detected to ’my example’. | |
| suid | Logged User | |
| sname | Stephen Lee | User that started the session |
| suser | stlee | Login of the user that started the session |
| spid | Message Type | |
| dst | Not applicable | |
| dpt | Not applicable | |
| duser | Not applicable |
Changes in Privileged Information
| Key | Example | Description |
|---|---|---|
| msg | Information ’my example’ has been changed. | |
| suid | Logged user | |
| sname | Stephen Lee | User that started the session |
| suser | stlee | Login details of the user that started the session |
| spid | Message Type | |
| dst | Not applicable | |
| dpt | Not applicable | |
| duser | Not applicable |
Password Request
| Key | Example | Description |
|---|---|---|
| msg | User ’Stephen Lee’ has made a request. Request Details: View password action for cqss credential on win2012 device (192.168.10.156) | Event message |
| suid | Logged User | |
| sname | Stephen Lee | Name of the logged user |
| suser | stlee | Logged user’s username |
| spid | Process ID | |
| dst | .10.156 | Target IP address |
| dpt | Not applicable | |
| duser | cqss | Requested user |
| cs1Label | GMUD | Field label |
| cs1 | File ID | |
| cs2Label | Validity Start | Field label |
| cs2 | -01-19 10:41:00 | Date and time the request was sent |
| cs3Label | Validity End | Field label |
| cs3 | -01-19 11:41:00 | Date and time the request expires |
| cs4Label | Approver | Field label |
| cs4 | Administrator | Approver |
| cs5Label | Requester | Field label |
| cs5 | Stephen | Requesting user |
| Cs6 | Action | Field label |
| Cs7 | View password | Description of the Action |
Approved request
| Key | Example | Description |
|---|---|---|
| msg | Application approved by Administrator on 19/01/2017 10:44:30. Code: S000296 Requestor: Steven Lee Requested on: 19/01/2017 10:44:13 Request detail: View password action for cqss credential on device win2012 (192.168.10.156) | Event message |
| suid | Logged User | |
| sname | Leia West | Name of the logged user |
| suser | lwest | Logged user’s username |
| spid | Process ID | |
| dst | .10.156 | Target IP address |
| dpt | Not used | |
| duser | cqss | User associated with the requested credential |
| cs1Label | GMUD | Field label |
| cs1 | File ID | |
| cs2Label | Validity Start | Field label |
| cs2 | -01-19 10:41:00 | Date and time the request was sent |
| cs3Label | Validity End | Field label |
| cs3 | -01-19 11:41:00 | Date and time the request expires |
| cs4Label | Approver | Field label |
| cs4 | Administrator | Approver |
| cs5Label | Requester | Field label |
| cs5 | Steven Lee | Requesting User |
| cs6Label | Action | Field label |
| cs6 | View password | Description of the Action |
| dst | .10.156 | Target IP |
| dpt | Not used | |
| duser | cqss | Login details of the requested user |
| cs1Label | GMUD | Field label |
| cs1 | File ID | |
| cs2Label | Validity Start | Field label |
| cs2 | -01-19 10:41:00 | Date and time the request was sent |
| cs3Label | Validity End | Field label |
| cs3 | -01-19 11:41:00 | Date and time the request expires |
| cs4Label | Approver | Field label |
| cs4 | Administrator | Approver |
| cs5Label | Requester | Field label |
| cs5 | Leia West | Requesting user |
| Cs6 | Action | Field Label |
| Cs7 | View password | Description of the Action |
Command Detected - Block and Stop Session
| Key | Example | Description |
|---|---|---|
| msg | An audited command has been detected! Action: blocked the command and terminated the session | Event message |
| suid | Logged user | |
| sname | Caleb | Senhasgura user who started the session |
| suser | caleb | Username of the user that started the session |
| spid | Message type | |
| dst | .0.1 | Target IP |
| dpt | Port used | |
| duser | usrmanut | User associated with the target device |
Command Detected - Block
| Key | Example | Description |
|---|---|---|
| msg | An audited command has been detected! Action: Notification sent and command allowed | Event message |
| suid | Logged user | |
| sname | Caleb | User that started the session |
| suser | caleb | Username of the user that started the session |
| spid | Message type | |
| dst | .0.1 | Target IP |
| dpt | Port used | |
| duser | usrmanut | User that started the session |
Password change error
| Key | Example | Description |
|---|---|---|
| msg | Error changing password ’Windows SQL Test Remote App (192.168.30.55) - Domain User – ’stleeadm’: The device ’Windows SQL Test Remote App (192.168.30.55)’ has no Windows RPC connectivity | Event message |
| suid | Logged user | |
| sname | Stephen Lee | Name of the user that started the session |
| suser | stlee | Username of the user that started the session |
| spid | Message type | |
| dst | .30.55 | Target IP |
| dpt | Not applicable | |
| duser | stleeadm | User that started the session |
Changes in stored file
| Key | Example | Description |
|---|---|---|
| msg | A session file has been modified! | |
| suid | Logged user | |
| sname | Asynchronous Script: 12 | Name of the logged user |
| suser | asc_12 | Username of the logged user |
| spid | Process ID | |
| dst | Not applicable | |
| dpt | Not applicable | |
| duser | Not applicable | |
| cs1Label | Id | Field Label |
| cs1 | File ID | |
| cs2Label | Initial Size | Field Label |
| cs2 | cs2 | |
| cs3Label | Final size | Field label |
| cs3 | Final file size in bytes | |
| cs4Label | Initial Checksum | Field label |
| cs4 | f5751777b74f8e2f2… | Previously file checksum |
| cs5Label | Final Checksum | Field’s Label |
| cs5 | 284f1555574548901… | File's previous Checksum |
Master Key - Users who have viewed their part of the key
| Key | Example | Description |
|---|---|---|
| msg | The user accessed his part of the key. | |
| suid | Logged user | |
| sname | Stephen Lee | Name of the logged user |
| suser | stlee | Username of the user that started the session |
| Method | POST | |
| act | User has seen his part of the key | |
| ServiceName | Backup |
Master Key - User downloads a PDF file with his part of the key
| Key | Example | Description |
|---|---|---|
| msg | The User downloaded the PDF with his part of the key. | |
| suid | User logged | |
| sname | Stephen Lee | Name of the logged user |
| suser | stlee | Username of the user that started the session |
| Method | POST | |
| act | The user downloaded the PDF with his part of the key source | |
| ServiceName | Backup |
Master Key - Key Ceremony Initiated
| Key | Example | Description |
|---|---|---|
| msg | The key ceremony process started. | |
| suid | Logged user | |
| sname | José da Silva | Name of the logged user |
| suser | jsilva | Username of the user that started the session |
| spriv | Administrator | |
| Method | POST | Fixed value |
| act | Ceremony process started | Performed action |
| ServiceName | Backup |
Master Key - Key Ceremony Ended
| Key | Example | Description |
|---|---|---|
| msg | Ceremony process completed. | |
| suid | Logged user | |
| sname | José da Silva | Name of the logged user |
| suser | jsilva | Username of the user that started the session |
| spriv | Administrator | |
| Method | GET | |
| act | Ceremony process completed | |
| ServiceName | Backup |
Master Key - Inactive Master key Guardian
| Key | Example | Description |
|---|---|---|
| msg | The master key guardian is currently inactive. | |
| suid | Logged user's ID | |
| sname | Jane Doe | Username |
| suser | jdoe | User's username |
| spriv | User | application layer |
| dvc | .225.14 | Device's IPv4 Host |
| spid | internal PID | |
| act | Incident | Performed action |
| dproc | master_key_guardian | Name of the target process |
Master Key - Failed recovery
| Key | Example | Description |
|---|---|---|
| msg | The recovery attempt has failed. | Invalid key parts |
| requestMethod | POST | Fixed value |
| act | Failed recovery attempt | Type of recovery failure |
| sourceServiceName | Master Key | Operation module |
| originIP | .148.162 | Requesting user's IP address |
| country | Brazil | User's geolocation: country |
| state | Sao Paulo | User's geolocation: state |
| city | Taboao da Serra | User's geolocation: city |
| latitude | User's geolocation: GPS latitude | |
| longitude | User's geolocation: GPS longitude | |
| partsNeeded | Key parts necessary for recovery | |
| partsSent | Number of attempts with the key parts sent | |
| suid | Logged user's ID | |
| sname | Logged user's name | |
| suser | Logged user's username | |
| spriv | User | Application layer |
| dvc | .2.17 | Device's IPv4 host |
| spid | Internal PID | |
| src | .0.1 | Source IP Address |
| act | Incident | Performed Action |
| dproc | master_key_guardian | Name of the target proccess |
Master Key - Successful recovery
| Key | Example | Description |
|---|---|---|
| msg | Successful recovery attempt. | The key parts have been validated |
| requestMethod | POST | Fixed value |
| act | Successful recovery attempt | Type of successful recovery |
| sourceServiceName | Master Key | Operation module |
| originIP | .10.13 | Requesting user's IP address |
| country | Brazil | User's geolocation: country |
| state | Sao Paulo | User's geolocation: state |
| city | Taboao da Serra | User's geolocation: city |
| latitude | User's geolocation: GPS latitude | |
| longitude | User's geolocation: GPS longitude | |
| partsNeeded | Key parts necessary for recovery | |
| partsSent | Number of attempts with the key parts sent | |
| suid | Logged user's ID | |
| sname | Logged user's name | |
| suser | Logged user's username | |
| spriv | User | Application layer |
| dvc | .10.20 | Device's IPv4 host |
| spid | Internal PID | |
| src | .10.13 | Source IP Address |
| act | Incident | Performed Action |
| dproc | master_key_guardian | Name of the target process |
Reports - Schedule Email
| Key | Example | Description |
|---|---|---|
| dvc | .20.30 | Segura Server's IP |
| spid | Process ID in the Operating System | |
| src | .20.10 | IP address of the user that performed the operation |
| suid | ID of the user that performed the operation | |
| sname | John Doe | Name of the user that performed the operation |
| suser | jdoe | Username of the user who performed the operation |
| spriv | Administrator | Privileged user used to perform the operation |
| msg | Report scheduling - Creation | Performed operation |
| requestMethod | POST | HTTP method used |
| act | Report scheduling - Creation | Performed operation |
| sourceServiceName | Report scheduling | Operation category |
| cs1Label | User | Label for requesting User |
| cs1 | John Doe | Requesting User |
| cs2Label | User ID | User ID Label |
| cs2 | User ID | |
| cs3Label | Schedule | Label for the name of the schedule |
| cs3 | My schedule | Schedule Name |
| cs4Label | Schedule ID | Label for the Schedule ID |
| cs4 | Schedule ID | |
| cs5Label | Added reports | Label for the added reports |
| cs5 | Settings ➔ Authentication ➔ Multi-factor authentication ➔ Providers | Added reports |
| cs7Label | Added users | Label for the added users |
| cs7 | jdoe - John Doe | Users who will receive the notification |
Reports - Update a Schedule
| Key | Example | Description |
|---|---|---|
| dvc | .20.30 | Segura Server's IP address |
| spid | Process ID in Operating System | |
| src | .20.10 | IP address of the user that performed the operation |
| suid | ID of the user that performed the operation | |
| sname | John Doe | Name of the user that performed the operation |
| suser | jdoe | Username of the user that performed the operation |
| spriv | Administrator | Privileged user used to perform the operation |
| msg | Report scheduling - Update | Performed operation |
| requestMethod | POST | HTTP method used |
| act | Report scheduling - Update | Performed operation |
| sourceServiceName | Report scheduling | Operation category |
| cs1Label | User | Label for requesting user name |
| cs1 | John Doe | Requesting User |
| cs2Label | User ID | User ID Label |
| cs2 | User ID | |
| cs3Label | Schedule | Label for the name of the schedule |
| cs3 | My schedule | Schedule Name |
| cs4Label | Schedule ID | Label for the Schedule ID |
| cs4 | Schedule Name | |
| cs5Label | Added reports | Label for the added reports |
| cs5 | None | Added reports |
| cs6Label | Removed reports | Label for the removed reports |
| cs6 | None | Removed reports |
| cs7Label | Added users | Label for the added users |
| cs7 | None | Added Users |
| cs8Label | Removed users | Label for the removed users |
| cs8 | None | Removed users |
Reports - Delete
| Key | Example | Description |
|---|---|---|
| dvc | .20.30 | Segura Server's IP |
| spid | Process ID in the Operating System | |
| src | .20.10 | IP address of the user that performed the operation |
| suid | ID of the user that performed the operation | |
| sname | John Doe | Name of the user that performed the operation |
| suser | jdoe | Username of the user that performed the operation |
| spriv | Administrator | Privileged user used to perform the operation |
| msg | Report scheduling - Deletion | Performed operation |
| requestMethod | POST | HTTP method used |
| act | Report scheduling - Deletion | Performed operation |
| sourceServiceName | Report scheduling | Operation category |
| cs1Label | User | Label for Requesting User |
| cs1 | John Doe | Requesting User |
| cs2Label | User ID | User ID Label |
| cs2 | User ID | |
| cs3Label | Schedule | Label for the name of this schedule |
| cs3 | My schedule | Schedule Name |
| cs4Label | Schedule ID | Label for the Schedule ID |
| cs4 | Schedule ID |