RSA DLP Sample of DLP Syslog Messages sent to SIEM

2 years ago

Originally Published: 2015-10-30

Article Number

000059766

Applies To

RSA Product Set: RSA DLP
RSA Product/Service Type: Enterprise Manager/Network/Datacenter/Endpoint
RSA Version/Condition: 8.0 / 9.5 / 9.6

Issue

This KB article provides a sample of the "RSA DLP" generated Syslog messages for all three solution modules [Network/Datacenter/Endpoint] which can be sent to enVision SIEM appliance.

Tasks

RSA DLP Network Syslog Messages Sample:

Apr 15 18:43:34  DLP_EM:  network NULL ~ 3 Incident :: "RSA DLP Policy Credit Card Numbers Violation" :: "Severity=MEDIUM RiskFactor=40 User=~ Policy=Credit Card Numbers MatchCount=0 userEmail=gem.immanuel@rsa.com  department= organization= action=audit eventTimestamp=2009-09-10T08:17:21Z protocol=ftp sessionSubProtocol=ftp sourceIP=~ sourcePort=1248 destinationIP=~ destinationPort=21 sessionEmailMailFrom= sessionEmailMailto= sessionFtpUser=nwtest sessionHttpMailFrom= sessionHttpMailto= sessionImChatInsider= sessionImChatOutsider= sessionImFtpInsider= sessionImFtpOutsider= Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"


Apr 15 18:43:51  DLP_EM:  network NULL ~ 3 Incident :: "RSA DLP Policy Credit Card Numbers Violation" :: "Severity=MEDIUM RiskFactor=40 User=~ Policy=Credit Card Numbers MatchCount=0 userEmail= department= organization= action=audit eventTimestamp=2009-09-10T08:17:21Z protocol=ftp sessionSubProtocol=ftp sourceIP=~ sourcePort=1248 destinationIP=~ destinationPort=21 sessionEmailMailFrom= sessionEmailMailto= sessionFtpUser=nwtest sessionHttpMailFrom= sessionHttpMailto= sessionImChatInsider= sessionImChatOutsider= sessionImFtpInsider= sessionImFtpOutsider= Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"


Sept 25 12:24:08 10.xx.xx.xxxx DLP_EM: 10.xx.xx.xxxx network NULL v-michaelallen@xxxxxx.com 3 Incident :: "RSA DLP Policy Construction Violation" :: "Severity=MEDIUM RiskFactor=40 User=v-xxxxx@NBNCO@nbnco.com Policy=Construction MatchCount=0 userEmail= department= organization= action=audit eventTimestamp=201x-10-25T01-24-05-00Z protocol=http sessionSubProtocol=http sourceIP=10.x.xx.x sourcePort= destinationIP=128.30.52.103 destinationPort= sessionEmailMailFrom= sessionEmailMailto= sessionFtpUser= sessionHttpMailFrom= sessionHttpMailto= sessionImChatInsider= sessionImChatOutsider= sessionImFtpInsider= sessionImFtpOutsider= Vendor=RSA ProductVersion=9.x.x dlp_event_link='http://10.48.xxxx.xxxx/event/viewnwevent.html?id=684'"

2. RSA DLP Datacenter Syslog Messages Sample:

Apr 15 18:43:04  DLP_EM:  discovery NULL ~ 3 Incident :: "RSA DLP Policy Credit Card Numbers Violation" :: "Severity=HIGH RiskFactor=82 User=~ Policy=Credit Card Numbers MatchCount=62 userEmail= department= organization= action=audit eventTimestamp=2010-02-27T00-57-10-00Z fileMatches=http://~/SiteDirectory/Site1/Shared Documents/Test Data/KE Data/Discover Card/TCDiscoverDCTP1.7.xls fileMatchOwnerDisplayName=~ fileMatchOwnerSID=S-1-5-21-2934366390-3854481991-635503288-7795 Vendor=RSA ProductVersion=8.0.0 dlp_event_link='http:///event/viewcsevent.html?id=21'"


Apr 15 18:43:58  DLP_EM:  discovery NULL S-1-5-21-2934366390-3854481991-635503288-7795 3 Incident :: "RSA DLP Policy Credit Card Numbers Violation" :: "Severity=MEDIUM RiskFactor=42 User=S-1-5-21-2934366390-3854481991-635503288-7795 Policy=Credit Card Numbers MatchCount=6 userEmail= department= organization= action=audit eventTimestamp=2010-02-27T00:57:09Z fileMatches=http://~/SiteDirectory/Site1/Shared Documents/Test Data/KE Data/Discover Card/TCDiscoverDCTP1.25.pdf fileMatchOwnerDisplayName=S-1-5-21-2934366390-3854481991-635503288-7795 fileMatchOwnerSID=S-1-5-21-2934366390-3854481991-635503288-7795 Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"

Apr 15 18:43:59  DLP_EM:  discovery NULL S-1-5-21-2934366390-3854481991-635503288-7795 3 Incident :: "RSA DLP Policy Credit Card Numbers Violation" :: "Severity=MEDIUM RiskFactor=42 User=S-1-5-21-2934366390-3854481991-635503288-7795 Policy=Credit Card Numbers MatchCount=6 userEmail= department= organization= action=audit eventTimestamp=2010-02-27T00:57:09Z fileMatches=http://~/SiteDirectory/Site1/Shared Documents/Test Data/KE Data/Discover Card/TCDiscoverDCTP1.22.xls fileMatchOwnerDisplayName=S-1-5-21-2934366390-3854481991-635503288-7795 fileMatchOwnerSID=S-1-5-21-2934366390-3854481991-635503288-7795 Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"

Apr 15 18:43:59  DLP_EM:  discovery NULL S-1-5-21-2934366390-3854481991-635503288-7795 3 Incident :: "RSA DLP Policy Credit Card Numbers Violation" :: "Severity=LOW RiskFactor=10 User=S-1-5-21-2934366390-3854481991-635503288-7795 Policy=Credit Card Numbers MatchCount=3 userEmail= department= organization= action=audit eventTimestamp=2010-02-27T00:57:09Z fileMatches=http://~/SiteDirectory/Site1/Shared Documents/Test Data/KE Data/Discover Card/TCDiscoverDCTP1.4.doc fileMatchOwnerDisplayName=S-1-5-21-2934366390-3854481991-635503288-7795 fileMatchOwnerSID=S-1-5-21-2934366390-3854481991-635503288-7795 Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"

3. RSA DLP Endpoint Syslog Messages Sample:

Apr 15 18:43:43  DLP_EM:  desktop NULL cn=,cn=users,dc=iim,dc=com 3 Incident :: "RSA DLP Policy US Passport Numbers Violation" :: "Severity=MEDIUM RiskFactor=42 User=cn=,cn=users,dc=iim,dc=com Policy=US Passport Numbers MatchCount=0 userEmail=@iim.com  department= organization= action=audit eventTimestamp=2010-03-19T18:42:43Z usage=copymove-netshare usageIp=~ usageApplication=Explorer.EXE usageSourceDeviceType= usageSourceIp= usageSourceUnc= usageDestinationDeviceType=Network Drive usageDestinationIp= usageDestinationUnc=\\~\c$\test data\folder1\folder1\madhavi\ssn.txt Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"

Apr 15 18:43:43  DLP_EM:  desktop NULL cn=,cn=users,dc=iim,dc=com 3 Incident :: "RSA DLP Policy US Passport Numbers Violation" :: "Severity=CRITICAL RiskFactor=100 User=cn=,cn=users,dc=iim,dc=com Policy=US Passport Numbers MatchCount=0 userEmail=@iim.com  department= organization= action=audit eventTimestamp=2010-03-19T18:31:51Z usage=copymove-netshare usageIp=~ usageApplication=Explorer.EXE usageSourceDeviceType= usageSourceIp= usageSourceUnc= usageDestinationDeviceType=Network Drive usageDestinationIp= usageDestinationUnc=\\~\c$\test data\folder1\copy from 190\ssn_h.txt Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"


Apr 15 18:42:32  DLP_EM:  desktop NULL cn=,cn=users,dc=iim,dc=com 3 Incident :: "RSA DLP Policy US Passport Numbers Violation" :: "Severity=CRITICAL RiskFactor=100 User=cn=,cn=users,dc=iim,dc=com Policy=US Passport Numbers MatchCount=0 userEmail=@iim.com  department= organization= action=audit eventTimestamp=2010-03-19T18:40:32Z usage=copymove-netshare usageIp=~ usageApplication=Explorer.EXE usageSourceDeviceType= usageSourceIp= usageSourceUnc= usageDestinationDeviceType=Network Drive usageDestinationIp= usageDestinationUnc=\\~\c$\test data\folder1\folder1\madhavi\ssn_h.txt Vendor=RSA ProductVersion=8.0.0 dlp_event_link=''"

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles