Eric Partington

Log - SecurID - Security Events

Blog Post created by Eric Partington Employee on Dec 13, 2016

[This content is now available OOTB from RSA Live]

Comment below have the links to locate information about the content

 

Based on some documents and blog posts that I ran across, these charts and rules were created to alert/display security relevant events from RSA SecurID/ Authentication Manager 8.2+.  The reporting and charting is not intended to replace the built in logging for for user events but more of an early warning system to detect potential critical security events that SOC should be aware of.

 

As always, test and post comments with suggestions or improvements.

 

1 Dashboard

8 charts

16 rules

1 list

 

All import under the same folder structure

RE > Log > SecurID

 

RSAACESRV parser is required to be installed and enabled on log decoders

 

Syslog log transfer was what was configured in my testing environment

 

Changes to the OOTB index will be required to index the result metakey.

Included the table-map-custom and index-concentrator-custom changes that will be required

 

Has not been tested with 7.x or earlier versions of 8.x (8.0/8.1).

 

Outcomes