Eric Partington

Log - SecurID - Security Events

Blog Post created by Eric Partington Employee on Dec 13, 2016

[This content is now available OOTB from RSA Live]

Comment below have the links to locate information about the content


Based on some documents and blog posts that I ran across, these charts and rules were created to alert/display security relevant events from RSA SecurID/ Authentication Manager 8.2+.  The reporting and charting is not intended to replace the built in logging for for user events but more of an early warning system to detect potential critical security events that SOC should be aware of.


As always, test and post comments with suggestions or improvements.


1 Dashboard

8 charts

16 rules

1 list


All import under the same folder structure

RE > Log > SecurID


RSAACESRV parser is required to be installed and enabled on log decoders


Syslog log transfer was what was configured in my testing environment


Changes to the OOTB index will be required to index the result metakey.

Included the table-map-custom and index-concentrator-custom changes that will be required


Has not been tested with 7.x or earlier versions of 8.x (8.0/8.1).