Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Craig Dore

RSA SecurID Access

1 Post authored by: Craig Dore Employee

Better Together: SecurID Access with your SIEM Platform

 

Introduction

Everyone wants better visibility into the behaviors (or misbehaviors) of their users. We are often asked by customers a simple question. What should we watch out for? 

 

The RSA SecurID® Access Cloud Authentication Service produces a large list of events for a variety of purposes. These are emitted from both the Cloud Service itself and the supporting Idenity Router virtual appliance clusters. These events are intended to be used for a variety of purposes, including:

 

  • Security and Event monitoring
  • System health
  • Supporting audit activities
  • Troubleshooting system or integration issues

 

These events fall under three major categories and severity levels: Administration, System and User events. 

 

To help you get started, we have collated a shortlist of events that may be of interest. We emphasised events that were related to security and critical health warnings. Be warned! This list does not encapsulate every possible event of interest for your deployment and is not intended as an exhaustive list specific to your organisation.

 

RSA recommends augmenting this guidance with your knowledgeable delivery partner or with  RSA Professional Services to help provide specific advice for YOUR organisation. 

Furthermore, when alerting on events related to the SecurID Cloud Risk Engine, this provides an additional dimension of visibility around suspicious behaviour. This is relevant even if your organisation does not use the risk engine to drive down the frequency of user challenge - even organisations that wish to challenge specific apps or users can gain the benefits of the risk engine as a monitoring tool for user and device behaviour.

 

Please consult the full list of Cloud Service Events here: https://community.rsa.com/docs/DOC-99818

If you are a lucky customer that uses the RSA Netwitness Platform as your SIEM, consult the official documentation on how to connect it to the Cloud: https://community.rsa.com/api/core/v3/contents/26032/data?v=1 

 

If you have another SIEM platform, also consult the following document on how to pull Cloud Service Events into your SIEM via the Cloud Event API: https://community.rsa.com/docs/DOC-96948

 

Cloud Administration Events

It is recommended that all administrative activity relating to SecurID Cloud Authentication Service be examined as this represents changes to a system that may have broad reaching consequences. A list of activities that should be monitored is presented in the following table.

 

Activity Key

Activity Code

Message

 Suggested Action

SIGNIN_FAILURE

80002

Admin {0} sign-in failed

Repeated failures should be alerted upon

LOCKED_ADMIN_ACCOUNT

80003

System locked admin {0} account

Alert

UNLOCKED_ADMIN_ACCOUNT

80004

System unlocked admin {0} account

Alert

DELETE_POLICY

80202

Admin {0} deleted access policy {1}

Alert

DELETE_IDR

80302

Admin {0} deleted identity router {1}

Alert

RESET_IDR_PASSWORD

80308

Admin {0} reset the identity router {1} password

Alert

DELETE_CLUSTER

80322

Admin {0} deleted cluster {1}

Alert

DELETE_TRUSTED_LOCATION

80902

Admin {0} deleted trusted location {1}

Alert

DELETE_ALL_TRUSTED_LOCATIONS

80903

Admin {0} deleted all trusted locations

Alert

DELETE_TRUSTED_NETWORK

81003

Admin {0} deleted trusted network {1}

Alert

DELETE_ALL_TRUSTED_NETWORK

81004

Admin {0} deleted all trusted networks

Alert

DELETE_ADMIN_USER

82002

Admin {0} deleted admin user {1}

Alert

DELETE_APPLICATION

82302

Admin {0} deleted application {1}

Alert

DELETE_RELYING_PARTY

82502

Admin {0} deleted relying party {1}

Alert

 

 


 

Cloud System Events

 

System events trigger the following messages to appear in the System Event Monitor.

 

Event Code

Level

Category

Description

Suggested Action

2507

error

Identity Source Sync

Identity source synchronization not completed successfully.

Alert

2508

notice

Identity Source Sync

Users are missing one or more unique identifiers. Check the user attribute configurations in both the cloud identity source and the directory server.

Alert

20152

error

Identity Router

Identity router cannot initiate contact with the Authentication Manager server.

Alert

20155

error

Identity Router

Identity router cannot connect to Authentication Manager - Unknown error.

Alert

20161

error

Identity Router

The identity router cannot connect to any configured identity sources.

Alert

20162

error

Identity Router

The identity router cannot connect to some configured identity sources.

Alert

20165

error

Identity Router

Some of the configured DNS servers are not working properly.

Alert

20166

error

Identity Router

None of the configured DNS servers are working properly.

Alert

20184

error

Identity Router

Identity router CPU usage exceeds the threshold limit.

Alert

20187

error

Identity Router

Cluster is offline and not in quorum. No configured identity routers are online.

Alert

20189

error

Identity Router

Identity router memory usage exceeds the threshold limit.

Alert

 


 

Cloud User Events

 

Event Code

Level

Description

Suggested Action

104

error

Authenticate Tokencode authentication failed - Invalid tokencode.

Alert on repeated attempts

105

error

Authenticate Tokencode authentication failed - Previously used tokencode detected.

Alert on repeated attempts

114

error

Identity router API tokencode authentication failed - Cloud Authentication Service unreachable.

Alert – IDR unable to reach cloud

117

error

Identity router API user status check - Identity source unreachable.

Alert – LDAP unavailable

213

error

LDAP password authentication failed - Cannot establish a trusted SSL/TLS connection with the LDAP directory server. Check for invalid certificate.

Alert – LDAP unavailable

215

error

LDAP password authentication failed - Sign-in failure: unknown username or invalid password.

Repeated failures should be alerted upon

224

error

LDAP password authentication failed - LDAP account locked out.

Alert – user locked out

409

error

Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact identity router.

Alert – IDR unavailable from Cloud

410

error

Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact directory server.

Alert – LDAP unavailable for sync

608

error

RSA SecurID user authentication failed - RSA SecurID service is not available.

Repeated failures - alert – Cloud service down?

906

error

Portal sign-in failed - Password reset required.

Alert  Possibly to alert helpdesk

910

error

Protected application authentication failed.

Repeated failures should be alerted upon

913

error

Additional authentication failed.

Repeated failures should be alerted upon

932

error

Additional authentication failed - User account disabled.

Alert  Possibly to alert helpdesk

933

error

Password authentication succeeded - Client does not support required additional authentication methods - Access denied.

Alert  Possibly to alert helpdesk

935

error

Unsuccessful password authentication – Access denied.

Repeated failures should be alerted upon

940

error

Password authentication succeeded - User prohibited by policy settings - Access denied.

Repeated failures should be alerted upon

941

error

Password authentication succeeded - Access prohibited by conditional policy settings - Access denied.

Repeated failures should be alerted upon

3013

error

RSA MFA Agent for Microsoft Windows configuration not approved.

Alert  Possibly to alert helpdesk

3015

error

RSA MFA Agent for Microsoft Windows unsuccessful configuration.

Alert  Possibly to alert helpdesk

20403

error

SAML IdP - Error response sent.

If Authentication Details includes "Message was rejected due to issue instant expiration" or "Message was rejected because was issued in the future," then there might be a time-synchronization issue between the service provider and the Cloud Authentication Service. If you see this message during an additional authentication flow for an SSO Agent application, check the time on the identity router.

Alert 

20601

error

RADIUS - LDAP authentication succeeded - Policy contains no RADIUS-compatible methods for additional authentication - Access denied.

Alert 

20605

error

RADIUS - Cloud Authentication Service unreachable - Access denied.

Repeated failures - alert – Cloud service down?

20615

notice

RADIUS – Authentication failed.

Repeated failures should be alerted upon

20701

error

Access denied – User not a member of any identity source in access policy.

Repeated failures should be alerted upon

20702

error

Access denied – User does not match any rule sets or matches a deny rule set in access policy.

Repeated failures should be alerted upon

20703

error

Access denied – Policy authentication conditions deny access.

Repeated failures should be alerted upon

20802

error

SMS Tokencode message transmission attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk

20852

error

Voice Tokencode call attempt failed - Invalid phone number.

Alert  Possibly to alert helpdesk

21903

error

SMS Tokencode authentication method locked – User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk

21953

error

Voice Tokencode authentication method locked - User exceeded maximum tokencodes allowed.

Alert  Possibly to alert helpdesk

25001

notice

Evaluated identity confidence. See Condition Attributes for Access Policies - Reporting a User's Identity Confidence Score for details.

SEE BELOW. When the “Confidence” attribute is greater than the “Confidence Threshold” the risk is low, therefore do nothing. When the “Confidence” attribute is lower than the “Confidence Threshold” the risk is high and therefore alert.

26004

error

Emergency Tokencode locked - User previously exceeded maximum attempts.

Alert  Possibly to alert helpdesk

26005

error

Emergency Tokencode now locked.

Alert  Possibly to alert helpdesk

 

 


 

Evaluated Identity Confidence Event (Risk Engine)

 

As you can see from the log sample below, the parser must be configured to conditionally evaluate the value of the confidence attribute against the confidenceThreshold value. If confidence is lower than confidenceThreshold the risk is considered high and therefore an alert should be generated containing the named user identifier.

 

 

 Identity Router Events

Please consult the full list of events emanating from the Identity Router here: https://community.rsa.com/docs/DOC-54120

 

User Audit Events

Description

Suggested Action

User Audit Events contain no security or health events

 

 

Web Services Audit Events

Description

Suggested Action

Web Service Audit Events contain no security or health events

 

 

System Audit Events

Description

Suggested Action

SYSTEM_ERROR

An error occurred on the identity router.

Alert

SYSTEM_REBOOT

The identity router rebooted.

Alert

 

 

IDR Status Events

Description

Suggested Action

RSA recommends that all IDR system health events be monitored.

Consult the full list of events here, under the “Identity Router Status Events” table:

https://community.rsa.com/docs/DOC-54120

 

 

RADIUS Audit Events

Description

Suggested Action

RADIUS_CHALLENGE_METHODS_NOT_SUPPORTED

A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy.

Alert – triage to IT or helpdesk

RADIUS_USER_DEVICE_NOT_REGISTERED

A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user.

Alert – possibly helpdesk

RADIUS_INTERNAL_ERROR

The RADIUS service encountered an error.

Alert

 

 

Filter Blog

By date: By tag: