SIEM
Introduction
The senhasegura solution enables the collection of advanced information and environmental events. These events and information can be sent to Event Management and Security Correlation, Security Information and Event Management, or simply SIEM solutions.
Objective
The purpose of this section is to assist users with administrator privileges to configure senhasegura environment monitoring for incident detection and notification via email, screen, SMS, and messaging protocols.
Operation
The senhasegura solution's monitoring system allows the collection and transmission by various means, such as SMS, instant messaging, e-mail and call opening, of information of aspects that are being monitored in the environment. The senhasegura monitoring module enables its use to monitor a range of solution metrics, from table identifier information to running robots.
SIEM solutions enable the organization's Information Security administrators to view and track activities in the T.I environment by collecting log data generated by the senhasegura solution.
From this log data, the SIEM solution identifies, categorizes, and analyzes incidents and events, enabling security incident reporting as potential malicious activity, and alerting if any potential security threats are detected, according to with the rule set configured in the environment.
Some of the alerts that can be sent by senhasegura include: authentication of a user on the appliance, remote login to a device, senhasegura server malfunctions, or password expiration.
senhasegura is compatible with the most widely used SIEM tools on the market, and supports messaging in CEF, Syslog (RFC 5424) and Sensage formats.
About messages in CEF format
CEF is a message format designed to standardize information delivery to SIEM. The message header is filled as follows:
Version: CEF0
Device Vendor: MT4
Device Product: senhasegura
Device Version: senhasegura Version
Signature ID: Event Type ID
Name: Event Type Name
Severity: 10 - event type criticality
In addition, the event values and the msg key with the event message are in the message values.
About messages in RFC5424 format
In this mode SYSLOG messages are sent according to RFC5424. The fields are set to the following values:
priority: according to event type
facility: 1 (user)
App: senhasegura
procid: PID of the current process
message: event message