SIEM
  • 8 minutes to read
  • Dark
    Light
  • PDF

SIEM

  • Dark
    Light
  • PDF

Article summary

senhasegura collects information and events from the environment to monitor various product metrics, including table identifiers and the status of running robots. This data can be sent to SIEM solutions for monitoring. 

SIEM solutions provide a comprehensive view for Information Security administrators, allowing them to monitor activities in the IT environment through log data. SIEM uses these records to identify, categorize, and analyze incidents and events, generating security reports that cover suspicious or malicious activities. 

Additionally, SIEM can send alerts through different channels such as SMS, instant messaging, email, and ticket opening if it detects potential security threats based on established configuration rules.

Alerts sent by senhasegura include:

  • User authentication on the device.
  • Remote login on the device.
  • Failures in the senhasegura server.
  • Password expiration.

senhasegura is compatible with the most used SIEM tools on the market and offers support for sending messages in the following formats:

  • CEF
  • Syslog (RFC 5424)
  • Sensage

CEF messages

CEF is a message format created to standardize the sending of information to SIEM and follows the order CEF:0|MT4|senhasegura|3.27.0-4|336.501|UPDATE INCIDENT|9|Extensions.

ItemDescription
VersionThe version of the CEF format. In the example above, we used '0'.
VendorThe name of the company responsible for the product. In the example above, we used 'MT4'.
ProductThe name of the product generating the event. In the example above, we used 'senhasegura'.
Product versionThe product version. In the example above, we used '3.27.0-4'.
Event IDThe ID of the event that occurred. Each ID is unique to identify the event. In the example above, we used '336501'.
Event nameThe type of event that occurred. In the example above, we used 'Update Incident' to indicate that an update incident has occurred.
SeverityThe severity of the event that occurred. The sequence goes from 1 to 10. The higher the number, the more serious the incident.

Furthermore, the system presents a list of extensions that provide detailed information about the event.


RFC 5424 messages

senhasegura also supports syslog files that follow the RFC 5424  standard. The header of this message format contains the following fields:

  • priority: according to event type
  • facility: 1 (user)
  • App: senhasegura
  • procid: PID of the current process
  • message: event message

Supported messages

These are some of the message formats that are native to senhasegura and can be exported to an external SIEM solution:

Messages Type (SUID)

SUIDEvents
8Loss / Recovered Connectivity
9Password rotation
15Backup complete
17Password changed
153Session Started / Ended
164Password visualization
dstIP adress of the event's target device
dhostHostname of the device affected by the event

Backup

KeyExampleDescription
msgBackup sent to server ’localhost:/srv/backup’ via local
suid
Message Type
snameAsynchronous Script: 8Backup Script ID
suser
Not applicable
spid
Notification's Unique ID
dhostlocalhostName of the backup server

Lost Connectivity

KeyExampleDescription
msgLocalhost appliance (127.0.0.1) has lost SSH connectivity
suid
Message Type
snameAsynchronous Script9Name of user who has lost connectivity
suser
Not applicable
spid
Notification's Unique ID
dst.0.1Device's IP address
dhostlocalhostName of the backup server
dport
Device’s Port

Restored Connectivity

KeyExampleDescription
msgLocalhost appliance (127.0.0.1) has recovered SSH connectivity
suid
Message Type
snameAsynchronous Script: 9Name of the user whose connection was lost
suser
Not applicable
spid
Notification's Unique ID
dst.0.1Device's IP address
dhostlocalhostName of the backup server
dport
Device’s Port

Password changed

KeyExampleDescription
msgPassword localhost (127.0.0.1) - Domain User - root changed by user stlee
suid
Notification's Unique ID
snameStephen LeeUser that changed the password
suser
Not applicable
spid
Notification's Unique ID
duserrootUsername of the changed password
duid

dst.0.1Device's IP address
dhostlocalhostname of the password's device

Password visualization

KeyExampleDescription
msgPassword localhost (127.0.0.1) - Domain User - root changed by user stlee
suid
Message Type
snameStephen LeeUser that viewed the password
suser
Not applicable
spid
Notification's Unique ID
duserroot duid=35Username of the password
dst.0.1IP address of the password's device
dhostlocalhostName of the password's device

Session Ended

msgSession terminated for localhost (127.0.0.1) - Privileged Domain User - srv_admin by the user Stephen Lee (stlee)
suid
Message type
snameStephen LeeUser that terminated the session
suserstleeLogin details of the user that terminated the session
spid
Notification's Unique ID
dst.0.1Device’s IP address
dposrt
Device’s Port
dusersrv_adminLogin used in the remote session

Session Started

KeyExampleDescription
msgSession started for localhost (127.0.0.1) - Privileged Domain User - root by the user Stephen Lee (stlee)
suid
Message type
snameStephen LeeUser Login details
suserstleeLogin details of the user that started the session
spid
Notification's Unique ID
dst.0.1Device’s IP address
dpt
Device’s Port
duserrootLogin used in the remote session

Exchange performed

KeyExampleDescription
msgSession terminated for localhost (127.0.0.1) - Privileged Domain User - by the user Stephen Lee (stlee)
suid
Message Type
snameAsynchronous Script: 17Password change script ID
suser
Not applicable 
spid
Message type
dst.0.1Device’s IP address
duserrootUser associated with the changed password

Command Execution and Auditing

KeyExampleDescription
msgAn audited command has been detected! Action: ”[system action]”
suid
User logged in
snameStephen LeeUser that started the session
suserstleeLogin details of the user that started the session
spid
Not applicable
dst
Not applicable
dpt
Not applicable
duser
Not applicable

Privileged Information visualization

KeyExampleDescription
msgAccess detected to ’my example’.
suid
Logged User
snameStephen LeeUser that started the session
suserstleeLogin of the user that started the session
spid
Message Type
dst
Not applicable
dpt
Not applicable
duser
Not applicable

Changes in Privileged Information

KeyExampleDescription
msgInformation ’my example’ has been changed.
suid
Logged user
snameStephen LeeUser that started the session
suserstleeLogin details of the user that started the session
spid
Message Type
dst
Not applicable
dpt
Not applicable
duser
Not applicable

Password Request

KeyExampleDescription
msgUser ’Stephen Lee’ has made a request. Request Details: View password action for cqss credential on win2012 device (192.168.10.156)
suid
Logged User
snameStephen LeeName of the logged user
suserstleelogged user’s username
spid
Process ID
dst.10.156Target IP address
dpt
Not applicable
dusercqssRequested user
cs1LabelGMUDField label
cs1
File ID
cs2LabelValidity StartField label
cs2-01-19 10:41:00Date and time the request was sent
cs3LabelValidity EndField label
cs3-01-19 11:41:00Date and time the request expires
cs4LabelApproverField’s label
cs4AdministratorApprover
cs5LabelRequesterField label
cs5StephenField label
Cs6ActionField label
Cs7View passwordDescription of the Action 

Approved request

KeyExampleDescription
msgApplication approved by Administrator on 19/01/2017 10:44:30. Code: S000296 Requestor: Steven Lee Requested on: 19/01/2017 10:44:13 Request detail: View password action for cqss credential on device win2012 (192.168.10.156)
suid
Logged User
snameLeia WestName of the logged user
suserlwestlogged user’s username
spid
Process ID
dst.10.156Target IP address
dpt
Not used
dusercqssUser associated with the requested credential
cs1LabelGMUDField label
cs1
File ID
cs2LabelValidity EndField label
cs2-01-19 10:41:00Date and time the request was sent
cs3LabelValidity EndField label
cs3-01-19 11:41:00Date and time the request expires
cs4LabelApproverField label
cs4AdministratorApprover
cs5LabelRequesterField label
cs5Steven LeeRequesting User
Cs6ActionField label
Cs7View PasswordDescription of the Action

Request denied

KeyExampleDescription
msgAccess to ’test’ detected.
suid
Logged User
snameSteven LeeName of the logged user
suserstleelogged user’s username
spid
Process ID
dst.10.156Target IP
dpt
Not used
dusercqssLogin details of the requested user
cs1LabelGMUDField label
cs1
File ID
cs2LabelValidity StartField label
cs2-01-19 10:41:00Date and time the request was sent
cs3LabelValidity EndField label
cs3-01-19 11:41:00Date and time the request expires
cs4LabelApproverField label
cs4AdministratorApprover
cs5LabelRequesterField label
cs5Leia WestRequesting user
Cs6ActionField Label
Cs7View passwordDescription of the Action

Command Detected - Block and Stop Session

KeyExampleDescription
msgAn audited command has been detected! Action: blocked the command and terminated the session
suid
Logged user
snameCalebsenhasgura user who started the session
susercalebUsername of the user that started the session
spid
Message Type
dst.0.1Target IP
dpt
Port used
duserusrmanutUser associated with the target device

Command Detected - Block

KeyExampleDescription
msgAn audited command has been detected! Action: Notification sent and command allowed
suid
Logged User
snameCalebUser that started the session
susercalebUsername of the user that started the session
spid
Message Type
dst.0.1Target IP
dpt
Port used
duserusrmanutUser that started the session

Password change error

KeyExampleDescription
msgError changing password ’Windows SQL Test Remote App (192.168.30.55) - Domain User – ’stleeadm’: The device ’Windows SQL Test Remote App (192.168.30.55)’ has no Windows RPC connectivity
suid
Logged User
snameStephen LeeName of the user that started the session
suserstleeUsername of the user that started the session
spid
Message Type
dst.30.55Target IP
dpt
Not applicable
duserstleeadmUser that started the session

Changes in stored file

KeyExampleDescription
msgA session file has been modified!
suid
Logged user
snameAsynchronous Script: 12Name of the logged user
suserasc_12Username of the logged user
spid
Process ID
dst
Not applicable
dpt
Not applicable
duser
Not applicable
cs1LabelIdField Label
cs1
File ID
cs2LabelInitial SizeField Label
cs2
cs2
cs3LabelFinal sizeField label
cs3
Final file size in bytes
cs4LabelInitial ChecksumField label
cs4f5751777b74f8e2f2…Previously file checksum
cs5LabelFinal ChecksumField’s Label
cs5284f1555574548901…File's previous Checksum

Master Key - Users who have viewed their part of the key

KeyExampleDescription
msgThe user accessed his part of the key.
suid
Logged user
snameStephen LeeName of the logged user
suserstleeUsername of the user that started the session
MethodPOST
actUser has seen his part of the key
ServiceNameBackup

Master Key - User downloads a PDF file with his part of the key

KeyExampleDescription
msgThe User downloaded the PDF with his part of the key.
suid
User logged
snameStephen LeeName of the logged user
suserstleeUsername of the user that started the session
MethodPOST
actThe user downloaded the PDF with his part of the key source
ServiceNameBackup

Master Key - Key Ceremony Initiated

KeyExampleDescription
msgThe key ceremony process started.
suid
Logged user
snameJosé da SilvaName of the logged user
suserjsilvaUsername of the user that started the session
sprivAdministrator
MethodPOSTFixed value
actCeremony process startedPerformed action
ServiceNameBackup

Master Key - Key Ceremony Ended

KeyExampleDescription
msgCeremony process completed.
suid
Logged user
snameJosé da SilvaName of the logged user
suserjsilvaUsername of the user that started the session
sprivAdministrator
MethodGET
actCeremony process completed
ServiceNameBackup

Master Key - Inactive Master key Guardian

KeyExampleDescription
msgThe master key guardian is currently inactive.
suid
Logged user's ID
snameJane DoeUsername
suserjdoeUser's username
sprivUserapplication layer
dvc.225.14Device's IPv4 Host
spid
internal PID
actIncidentPerformed action
dprocmaster_key_guardianName of the target process

Master Key - Failed recovery

KeyExampleDescription
msgThe recovery attempt has failed.Invalid key parts
requestMethodPOSTFixed value
actFailed recovery attemptType of recovery failure
sourceServiceNameMaster KeyOperation module
originIP.148.162Requesting user's IP address
countryBrazilUser's geolocation: country
stateSao PauloUser's geolocation: state
cityTaboao da SerraUser's geolocation: city
latitude
User's geolocation: GPS latitude
longitude
User's geolocation: GPS longitude
partsNeeded
Key parts necessary for recovery
partsSent
Number of attempts with the key parts sent
suid
Logged user's ID
sname
Logged user's name
suser
Logged user's username
sprivUserApplication layer
dvc.2.17Device's IPv4 host
spid
Internal PID
src.0.1Source IP Address
actIncidentPerformed Action
dprocmaster_key_guardianName of the target proccess

Master Key - Successful recovery

KeyExampleDescription
msgSuccessful recovery attempt.The key parts have been validated
requestMethodPOSTFixed value
actSuccessful recovery attemptType of successful recovery
sourceServiceNameMaster KeyOperation module
originIP.10.13Requesting user's IP address
countryBrazilUser's geolocation: country
stateSao PauloUser's geolocation:  state
cityTaboao da SerraUser's geolocation: city
latitude
User's geolocation: GPS latitude
longitude
User's geolocation: GPS longitude
partsNeeded
Key parts necessary for recovery
partsSent
Number of attempts with the key parts sent
suid
Logged user's ID
sname
Logged user's name
suser
Logged user's username
sprivUserApplication layer
dvc.10.20Device's IPv4 host
spid
Internal PID
src.10.13Source IP Address
actIncidentPerformed Action
dprocmaster_key_guardianName of the target process

Reports - Schedule Email

KeyExampleDescription
dvc.20.30senhasegura Server's IP
spid
Process ID in the Operating System
src.20.10IP address of the user that performed the operation
suid
ID of the user that performed the operation
snameJohn DoeName of the user that performed the operation
suserjdoeUsername of the user who performed the operation
sprivAdministratorPrivileged user used to perform the operation
msgReport scheduling - CreationPerformed operation
requestMethodPOSTHTTP method used 
actReport scheduling - CreationPerformed operation
sourceServiceNameReport schedulingOperation category 
cs1LabelUserLabel for requesting User
cs1John DoeRequesting User 
cs2LabelUser IDUser ID Label
cs2
User ID
cs3LabelScheduleLabel for the name of the schedule
cs3My scheduleSchedule Name
cs4LabelSchedule IDLabel for the Schedule ID
cs4
Schedule ID
cs5LabelAdded reportsLabel for the added reports
cs5Settings Authentication Multi-factor authentication ProvidersAdded reports
cs7LabelAdded usersLabel for the added users
cs7jdoe - John DoeUsers who will receive the notification

Reports - Update a Schedule

KeyExampleDescription
dvc.20.30senhasegura Server's IP address
spid
Process ID in Operating System
src.20.10IP address of the user that performed the operation
suid
ID of the user that performed the operation
snameJohn DoeName of the user that performed the operation
suserjdoeUsername of the user that performed the operation
sprivAdministratorPrivileged user used to perform the operation
msgReport scheduling - UpdatePerformed operation
requestMethodPOSTHTTP method used
actReport scheduling - UpdatePerformed operation
sourceServiceNameReport schedulingOperation category 
cs1LabelUserLabel for requesting user name
cs1John DoeRequesting User
cs2LabelUser IDUser ID Label
cs2
User ID
cs3LabelScheduleLabel for the name of the schedule
cs3My scheduleSchedule Name
cs4LabelSchedule IDLabel for the Schedule ID
cs4
Schedule Name
cs5LabelAdded reportsLabel for the added reports
cs5NoneAdded reports
cs6LabelRemoved reportsLabel for the removed reports 
cs6NoneRemoved reports
cs7LabelAdded usersLabel for the added users
cs7NoneAdded Users
cs8LabelRemoved usersLabel for the removed users
cs8NoneRemoved users

Reports - Delete

KeyExampleDescription
dvc.20.30senhasegura Server's IP
spid
Process ID in the Operating System
src.20.10IP address of the user that performed the operation
suid
ID of the user that performed the operation
snameJohn DoeName of the user that performed the operation
suserjdoeUsername of the user that performed the operation
sprivAdministratorPrivileged user used to perform the operation
msgReport scheduling - DeletionPerformed operation
requestMethodPOSTHTTP method used
actReport scheduling - DeletionPerformed operation
sourceServiceNameReport schedulingOperation category 
cs1LabelUserLabel for Requesting User 
cs1John DoeRequesting User
cs2LabelUser IDUser ID Label
cs2
User ID
cs3LabelScheduleLabel for the name of this schedule
cs3My scheduleSchedule Name
cs4LabelSchedule IDLabel for the Schedule ID
cs4
Schedule ID

Was this article helpful?