Contents x
    Integration with SIEM
    • 13 minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Integration with SIEM

    • 13 minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    senhasegura implements a robust security event collection and processing system, enabling comprehensive monitoring of critical environment metrics. The system systematically tracks the following components:

    • Unique identifiers and system table metadata
    • Performance metrics and operational status of automated processes
    • Detailed records of user activities and interactions
    • System integrity and performance indicators

    This monitoring architecture natively integrates with SIEM (Security Information and Event Management) systems, enabling centralized management and in-depth security event analysis.

    Advanced SIEM Features

    The SIEM implementation provides Information Security professionals with a comprehensive set of functionalities:

    • Centralized consolidation of IT environment security data
    • Continuous monitoring and real-time event log analysis
    • Structured methodology for incident identification, classification, and investigation
    • Advanced analytical reporting system
    • Intelligent mechanisms for detecting anomalous behaviors and malicious activities

    Notification System

    The SIEM platform incorporates a multifaceted notification system that operates through the following channels:

    • SMS messages for critical alerts
    • Instant messaging systems
    • Email communications
    • Integrated support ticketing system

    Notifications are configured through customizable rules, allowing fine-tuned triggering criteria based on identified threat patterns.

    Monitoring in senhasegura

    The system maintains constant vigilance over critical events, including:

    • Authentication and authorization processes on managed devices
    • Remote access attempts and their respective origins
    • Critical events related to server infrastructure
    • Credential lifecycle and status in the system

    Compatibility Specifications

    senhasegura offers extensive compatibility with SIEM solutions through the following standardized protocols:

    • CEF (Common Event Format) for event normalization
    • Syslog (RFC 5424) for standardized log transmission
    • Native integration with Sensage platform

    This technical documentation establishes fundamental guidelines for implementing and operating SIEM integration in the senhasegura environment, ensuring effective monitoring and agile incident response.

    Event Mapping and SIEM Parameters

    The following tables provide detailed technical reference for SIEM integration, presenting structured specifications of events, fields, and configurations supported by senhasegura. This tabular documentation establishes fundamental parameters for implementation, allowing administrators and technical teams to properly configure critical event monitoring. Each table has been systematically organized to facilitate consultation during integration, maintenance, and environment troubleshooting processes.

    CEF Message Format

    CEF is a message format created to standardize information transmission to SIEM and follows the format |CEF:0|MT4|senhasegura|3.27.0-4|336.501|UPDATE INCIDENT|9|Extensions|

    ItemDescription
    VersionThe CEF format version. In the example above, we use '0'.
    CompanyThe name of the company responsible for the product. In the example above, we use 'MT4'.
    ProductThe name of the product generating the event. In the example above, we use 'senhasegura'.
    Product VersionThe product version. In the example above, we use '3.27.0-4'.
    Event IDThe ID of the occurred event. Each ID is unique to identify the event. In the example above, we use '336.501'.
    Event NameThe type of event that occurred. In the example above, we use 'Update Incident' to indicate that an update incident occurred.
    SeverityThe severity or importance of the event. The sequence ranges from 1 to 10. The higher the number, the more severe the incident. Additionally, a list of extensions providing detailed information about the event is presented.

    RFC 5424 Format Messages

    In this mode, SYSLOG messages are sent according to RFC 5424. Fields are configured with the following values:

    • Priority: according to event type
    • facility: 1 (user)
    • App: senhasegura
    • Procid: Current process PID
    • Message: event message

    Configured Messages

    The following messages are configured for transmission through SIEM:

    Message Types (SUID)

    SUIDDescription
    8Connectivity Loss/Recovery
    9Password Change executed
    15Backup performed
    17Password changed
    153Session Started/Ended
    164Password Viewed
    dstIP of the event target device
    dhostHostname of the affected device

    Backup

    KeyExampleDescription
    msgBackup sent to server 'localhost:/srv/backup' via localMessage with action information
    suidMessage type
    snameAsynchronous Script: 8Backup script identifier
    suserNot applicable
    spidUnique notification identifier
    dhostlocalhostName of server where backup is generated

    Connectivity Loss

    KeyExampleDescription
    msgThe device localhost (127.0.0.1) lost SSH connectivity
    suidMessage type
    snameAsynchronous Script: 9Name of user who lost connectivity
    suserNot applicable
    spidUnique notification identifier
    dst.0.1Device IP
    dhostlocalhostName of server where backup is generated
    dportDevice port

    Connectivity Restored

    KeyExampleDescription
    msgThe localhost equipment (127.0.0.1) has recovered SSH connectivity
    suidMessage type
    snameAsynchronous Script: 9Name of the user whose session was restored
    suserNot applicable
    spidUnique notification identifier
    dst.0.1Device IP
    dhostlocalhostServer name where backup is generated
    dportDevice port

    Password Changed

    KeyExampleDescription
    msgPassword localhost (127.0.0.1) - Domain User - root changed by user jsilva
    suidUnique notification identifier
    snameJose da SilvaName of user who changed the password
    suserNot applicable
    spidUnique notification identifier
    duserrootUsername of changed password
    duid
    dst.0.1Device IP
    dhostlocalhostPassword device name

    Password Viewed

    KeyExampleDescription
    msgPassword localhost (127.0.0.1) - Domain User - root changed by user jsilva
    suidMessage type
    snameJose da SilvaUser who viewed the password
    suserNot applicable
    spidUnique notification identifier
    duserroot duid=35Username of viewed password
    dst.0.1Password device IP
    dhostlocalhostPassword device name

    Session Ended

    KeyExampleDescription
    msgSession ended for localhost (127.0.0.1) - Privileged Domain User - srv_admin by user Jose da Silva (jsilva)
    suidIdentifies message type
    snameJose da SilvaUser who ended the session
    suserjsilvaLogin of user who ended the session
    spidUnique notification identifier
    dst.0.1Device IP
    dposrtDevice port
    dusersrv_adminLogin used in remote session

    Session Started

    KeyExampleDescription
    msgSession ended for localhost (127.0.0.1) - Privileged Domain User - root by user Jose da Silva (jsilva)
    suidIdentifies message type
    snameJose da SilvaUser who started session
    suserjsilvaLogin of user who started session
    spidUnique notification identifier
    dst.0.1Device IP
    dptDevice port
    duserrootLogin used in remote session

    Exchange Executed

    KeyExampleDescription
    msgSession ended for localhost (127.0.0.1) - Privileged Domain User - root by user Jose da Silva (jsilva)
    suidMessage type
    snameAsynchronous Script: 17Password exchange script identifier
    suserNot used in this interface
    spidIdentifies message type
    dst.0.1Device IP
    duserrootUser of changed password

    Audited Commands Executed

    KeyExampleDescription
    msgAn audited command was detected! Action: "[Action taken]"
    suidLogged user
    snameJose da SilvaUser who started session
    suserjsilvaLogin of user who started session
    spidNot applicable
    dstNot applicable
    dptNot applicable
    duserNot applicable

    Information Viewed

    KeyExampleDescription
    msgInformation 'test' viewed.
    suidLogged user
    snameJose da SilvaUser who started session
    suserjsilvaLogin of user who started session
    spidMessage type
    dstNot applicable
    dptNot applicable
    duserNot applicable

    Information Changed

    KeyExampleDescription
    msgInformation 'test' changed
    suidLogged user
    snameJose da SilvaUser who started session
    suserjsilvaLogin of user who started session
    spidMessage type
    dstNot applicable
    dptNot applicable
    duserNot applicable

    Password Access Request

    KeyExampleDescription
    msgUser 'Jose da Silva' created a request. Request details: Action to view password for credential cqss on device win2012 (192.168.10.156)
    suidLogged user
    snameJose da SilvaName of logged user
    suserjsilvaLogin of logged user
    spidProcess PID
    dst.10.156Destination IP
    dptNot applicable
    dusercqssRequested user
    cs1LabelChange RequestField label
    cs1File ID
    cs2LabelValidity StartField label
    cs2-01-19 10:41:00Request start date
    cs3LabelValidity EndField label
    cs3-01-19 11:41:00Request expiration date
    cs4LabelApproverField label
    cs4AdministratorApproving User
    cs5LabelRequesterField label
    cs5Jose da SilvaRequesting User
    Cs6ActionField label
    Cs7View passwordAction description

    Request Approved

    KeyExampleDescription
    msgRequest approved by Administrator on 19/01/2017 10:44:30. Code: S000296 Requester: Jose da Silva Requested on: 19/01/2017 10:44:13 Request details: Action to view password for credential cqss on device win2012 (192.168.10.156)
    suidLogged user
    snameMaria da SilvaName of logged user
    susermsilvaLogin of logged user
    spidProcess PID
    dst.10.156Destination IP
    dptNot used
    dusercqssRequested credential user
    cs1LabelChange RequestField label
    cs1File ID
    cs2LabelValidity StartField label
    cs2-01-19 10:41:00Request start date
    cs3LabelValidity EndField label
    cs3-01-19 11:41:00Request expiration date
    cs4LabelApproverField label
    cs4AdministratorApproving User
    cs5LabelRequesterField label
    cs5Jose da SilvaRequesting User
    Cs6ActionField label
    Cs7View passwordAction description

    Request Denied

    KeyExampleDescription
    msgInformation 'test' viewed.
    suidLogged user
    snameJose da SilvaName of logged user
    suserjsilvaLogin of logged user
    spidProcess PID
    dst.10.156Destination IP
    dptNot used
    dusercqssRequested user login
    cs1LabelChange RequestField label
    cs1File ID
    cs2LabelValidity StartField label
    cs2-01-19 10:41:00Request start date
    cs3LabelValidity EndField label
    cs3-01-19 11:41:00Request expiration date
    cs4LabelApproverField label
    cs4AdministratorApproving User
    cs5LabelRequesterField label
    cs5Maria da SilvaRequesting User
    Cs6ActionField label
    Cs7View passwordAction description

    Detected Command - Block and Terminate Session

    KeyExampleDescription
    msgAn audited command was detected! Action: Command blocked and session terminated
    suidLogged user
    snameRomarioUser who initiated session
    suserromarioLogin of user who initiated session
    spidMessage type
    dst.0.1Destination IP
    dptPort used
    duservaultUser utilized to initiate session

    Detected Command - Block

    KeyExampleDescription
    msgAn audited command was detected! Action: Command notified and allowed
    suidLogged user
    snameRomarioUser who initiated session
    suserromarioLogin of user who initiated session
    spidMessage type
    dst.0.1Destination IP
    dptPort used
    duservaultUser utilized to initiate session

    Password Change Error

    KeyExampleDescription
    msgError changing password 'Windows SQL Test Remote App (192.168.30.55) - Domain User – 'jsilvaadm': The device 'Windows SQL Test Remote App (192.168.30.55)' does not have Windows RPC connectivity
    suidLogged user
    snameJosé da SilvaName of user who initiated session
    suserJsilvaLogin of user who initiated session
    spidMessage type
    dst.30.5Destination IP
    dptNot applicable
    duserjsilvaadmUser utilized to initiate session

    Storage File Modified

    KeyExampleDescription
    msgA session file was modified!
    suidLogged user
    snameAsynchronous Script: 12Logged username
    suserasc_12Logged user login
    spidProcess PID
    dstNot applicable
    dptNot applicable
    duserNot applicable
    cs1LabelIdField label
    cs1File ID
    cs2LabelInitial SizeField label
    cs2Initial file size in bytes
    cs3LabelFinal SizeField label
    cs3Final file size in bytes
    cs4LabelInitial ChecksumField label
    cs4f5751777b74f8e2f2…Previous file checksum
    cs5LabelFinal ChecksumField label
    cs5284f1555574548901…Current file checksum

    Master Key - Users Who Viewed Their Key Part

    KeyExampleDescription
    msgUser viewed their part of the key request.
    suidLogged user
    snameJosé da SilvaLogged username
    suserjsilvaLogged user login
    MethodPOSTFixed value
    actUser viewed their part of the key source.Performed action
    ServiceNameBackup

    Master Key - User Downloaded PDF with Their Key Part

    KeyExampleDescription
    msgUser downloaded the PDF with their part of the key request.
    suidLogged user
    snameJosé da SilvaLogged username
    suserjsilvaLogged user login
    MethodPOSTFixed value
    actUser downloaded the PDF with their part of the key source.Performed action
    ServiceNameBackup

    Master Key - Ceremony Process Started

    KeyExampleDescription
    msgCeremony process started.
    suidLogged user
    snameJosé da SilvaLogged username
    suserjsilvaLogged user login
    sprivAdministrator
    MethodPOSTFixed value
    actCeremony process started.Performed action
    ServiceNameBackup

    Master Key - Ceremony Process Completed

    KeyExampleDescription
    msgCeremony process completed.
    suidLogged user
    snameJosé da SilvaLogged username
    suserjsilvaLogged user login
    sprivAdministrator
    MethodGETFixed value
    actCeremony process completed.Performed action
    ServiceNameBackup

    Master Key - Inactive Guardian

    KeyExampleDescription
    msgMaster Key - Inactive Guardian.
    suidLogged user ID
    snameJohn DoeUsername
    suserjdoeUser login
    sprivUserApplication layer
    dvc.225.14Device IPv4 host
    spidInternal PID
    actIncidentPerformed action
    dprocmaster_key_guardianTarget process name

    Master Key - Recovery Attempt Failed

    KeyExampleDescription
    msgRecovery attempt failed. The key fractions are invalid
    requestMethodPOSTFixed value
    actRecovery attempt failedType of Master Key recovery failure
    sourceServiceNameMaster KeyOperation module
    originIP.148.162Requesting user IP
    countryBrazilRequest country geolocation
    stateSao PauloRequest state geolocation
    cityTaboao da SerraRequest city geolocation
    latitudeRequest GPS latitude geolocation
    longitudeRequest GPS longitude geolocation
    partsNeededFractions needed for recovery
    partsSentNumber of fraction attempts sent
    suidLogged user ID
    snameUsername
    suserUser login
    sprivUserApplication layer
    dvc.2.17Device IPv4 host
    spidInternal PID
    src.0.1Source IP address
    actIncidentPerformed action
    dprocmaster_key_guardianTarget process name

    Master Key - Successful Recovery Attempt

    KeyExampleDescription
    msgRecovery attempt successful. The key fractions used are valid
    requestMethodPOSTFixed value
    actRecovery attempt successfulType of successful master key recovery
    sourceServiceNameMaster KeyOperation module
    originIP.10.13Request user IP
    countryBrazilRequest country geolocation
    stateSao PauloRequest state geolocation
    cityTaboao da SerraRequest city geolocation
    latitudeRequest GPS latitude geolocation
    longitudeRequest GPS longitude geolocation
    partsNeededFractions needed for recovery
    partsSentNumber of fraction attempts sent
    suidRegistered user ID
    snameUsername
    suserUser login
    sprivUserApplication layer
    dvc.10.20Device IPv4 host
    spidInternal PID
    src.10.13Source IP address
    actIncidentPerformed action
    dprocmaster_key_guardianTarget process name

    Email Report Scheduling - Creation

    KeyExampleDescription
    dvc.20.30Secure password server IP
    spidOperating system process ID
    src.20.10IP of user who performed operation
    suidID of user who executed operation
    snameJohn DoeUsername
    suserjdoeUser login
    sprivAdministratorPrivileged user who performed operation
    msgReport Scheduling - CreationOperation performed
    requestMethodPOSTHTTP method used by client
    actReport Scheduling - CreationOperation performed
    sourceServiceNameReport SchedulingCategory of operation executed
    cs1LabelUserRequesting username label
    cs1John DoeRequester name
    cs2LabelUser IDUser ID label
    cs2User ID
    cs3LabelScheduleSchedule name label
    cs3My scheduleSchedule name
    cs4LabelSchedule IDSchedule ID label
    cs4Schedule ID
    cs5LabelAdded reportsAdded reports label
    cs5Settings > Authentication > Multi-factor Authentication > ProvidersAdded label
    cs7LabelAdded usersAdded users label
    cs7jdoe - John DoeUsers added to receive notification

    Email Report Scheduling - Update

    KeyExampleDescription
    dvc.20.30Secure password server IP
    spidOperating system process ID
    src.20.10IP of user who performed operation
    suidID of user who executed operation
    snameJohn DoeUsername
    suserjdoeUser login
    sprivAdministratorPrivileged user who performed operation
    msgReport Scheduling - UpdateOperation performed
    requestMethodPOSTHTTP method used by client
    actReport Scheduling - UpdateOperation performed
    sourceServiceNameReport SchedulingCategory of operation executed
    cs1LabelUserRequesting username label
    cs1John DoeRequester name
    cs2LabelUser IDUser ID label
    cs2User ID
    cs3LabelScheduleSchedule name label
    cs3My scheduleSchedule name
    cs4LabelSchedule IDSchedule ID label
    cs4Schedule ID
    cs5LabelAdded reportsAdded reports label
    cs5NoneAdded reports
    cs6LabelRemoved reportsRemoved reports label
    cs6NoneRemoved reports
    cs7LabelAdded usersAdded users label
    cs7NoneAdded users
    cs8LabelRemoved usersRemoved users label
    cs8NoneRemoved users

    Email Report Scheduling - Deletion

    KeyExampleDescription
    dvc.20.30Secure password server IP
    spidOperating system process ID
    src.20.10IP of user who performed operation
    suidID of user who executed operation
    snameJohn DoeUsername
    suserjdoeUser login
    sprivAdministratorPrivileged user who performed operation
    msgReport Scheduling - DeletionOperation performed
    requestMethodPOSTHTTP method used by client
    actReport Scheduling - DeletionOperation performed
    sourceServiceNameReport SchedulingCategory of operation executed
    cs1LabelUserRequesting username label
    cs1John DoeRequester name
    cs2LabelUser IDUser ID label
    cs2User ID
    cs3LabelScheduleSchedule name label
    cs3My scheduleSchedule name
    cs4LabelSchedule IDSchedule ID label
    cs4Schedule ID
    Was this article helpful?
    What's Next
    Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
    Connect With Us
    SENHASEGURA
    LEARN
    EXPLORE
    Copyright © senhasegura. All Rights Reserved