Skip to main content
Version: 3.25

SIEM Configured Messages

The following messages are configured for sending through SIEM:

Messages Type(SUID)

SUIDEvents
8Loss / Recovery Connectivity
9Password change performed
15Backup Performed
17Password changed
153Session Started / Ended
164Password Displayed
dstIP of event target device
dhostHostname of device affected by event
Backup
KeyExampleDescription
msgBackup sent to server ’localhost:/srv/backup’ via local
suidMessage Type
snameAsynchronous Script: 8Backup Script Identifier
suserNot applicable
spidNotification Unique Identifier
dhostlocalhostName of server where backup is generated
Loss of Connectivity
KeyExampleDescription
msgLocalhost appliance (127.0.0.1) has lost SSH connectivity
suidMessage Type
snameAsynchronous Script9Name of user who has lost connectivity
suserNot applicable
spidNotification Unique Identifier
dst.0.1Device IP
dhostlocalhostName of server where backup is generated
dportDevice’s Port
Restored Connectivity
KeyExampleDescription
msgLocalhost appliance (127.0.0.1) has recovered SSH connectivity
suidMessage Type
snameAsynchronous Script: 9Name of the user who had the session reinstated
suserNot applicable
spidNotification Unique Identifier
dst.0.1Device IP
dhostlocalhostName of server where backup is generated
dportDevice’s Port
Password changed
KeyExampleDescription
msgPassword localhost (127.0.0.1) - Domain User - root changed by user stlee
suidNotification Unique Identifier
snameStephen LeeUsername that changed the password
suserNot applicable
spidNotification Unique Identifier
duserrootPassword Username changed
duid
dst.0.1Device IP
dhostlocalhostPassword device name
Password viewed
KeyExampleDescription
msgPassword localhost (127.0.0.1) - Domain User - root changed by user stlee
suidMessage Type
snameStephen LeeUser who viewed the password
suserNot applicable
spidNotification Unique Identifier
duserroot duid=35Username of password displayed
dst.0.1Password Device IP
dhostlocalhostPassword device name
Session Ended
KeyExampleDescription
msgSession terminated for localhost (127.0.0.1) - Privileged Domain User - srv_admin by the user Stephen Lee (stlee)
suidIdentify the message type
snameStephen LeeUser who logged out
suserstleeLogin of the user who logged out
spidNotification Unique Identifier
dst.0.1Device’s IP
dposrtDevice’s Port
dusersrv_adminLogin used in remote session
Session Started
KeyExampleDescription
msgSession started for localhost (127.0.0.1) - Privileged Domain User - root by the user Stephen Lee (stlee)
suidIdentify the message type
snameStephen LeeLogin User
suserstleeLogin of the logged in user
spidNotification Unique Identifier
dst.0.1Device’s IP
dptDevice’s Port
duserrootLogin used in remote session
Exchange performed
KeyExampleDescription
msgSession terminated for localhost (127.0.0.1) - Privileged Domain User - by the user Stephen Lee (stlee)
suidMessage Type
snameAsynchronous Script: 17Password exchange script identifier
susernot used in this interface
spidIdentify the message type
dst.0.1Device’s IP
duserrootpassword changed user
Audited command executed
KeyExampleDescription
msgAn audited command has been detected! Action: ”[system action]
suidUser logged in
snameStephen LeeUser that started the session
suserstleeLogin of the user that started the session
spidNot applicable
dstNot applicable
dptNot applicable
duserNot applicable
Information viewed
KeyExampleDescription
msgInformation ’my example’ has been visualized.
suidLogged User
snameStephen LeeUser that started the session
suserstleeLogin of the user that started the session
spidMessage Type
dstNot applicable
dptNot applicable
duserNot applicable
Information changed
KeyExampleDescription
msgInformation ’my example’ has been changed.
suidLogged user
snameStephen LeeUser that started the session
suserstleeLogin of the user that started the session
spidMessage Type
dstNot applicable
dptNot applicable
duserNot applicable
Password Access Request
KeyExampleDescription
msgUser ’Stephen Lee’ has created a request. Request Details: View password action for cqss credential on win2012 device (192.168.10.156)
suidLogged User
snameStephen LeeName of the logged user
suserstleelogged user’s username
spidProcess PID
dst.10.156Target IP
dptNot applicable
dusercqssUser requested
cs1LabelGMUDField’s label
cs1File’s ID
cs2LabelValidity StartField’s label
cs2-01-19 10:41:00Request Start Date
cs3LabelValidity EndField’s label
cs3-01-19 11:41:00Request expiration date
cs4LabelApproverField’s label
cs4AdministratorApproved User
cs5LabelRequesterField label
cs5StephenField’s label
Cs6ActionField’s label
Cs7View passwordAction’s description
Request approved
KeyExampleDescription
msgApplication approved by Administrator on 19/01/2017 10:44:30. Code: S000296 Requestor: Steven Lee Requested on: 19/01/2017 10:44:13 Request detail: View password action for cqss credential on device win2012 (192.168.10.156)
suidLogged User
snameLeia WestName of the logged user
suserlwestlogged user’s username
spidProcess PID
dst.10.156Target IP
dptNot used
dusercqssRequested Credential User
cs1LabelGMUDField’s label
cs1File’s ID
cs2LabelValidity EndField’s label
cs2-01-19 10:41:00Request Start Date
cs3LabelValidity EndField’s label
cs3-01-19 11:41:00Request Expiration Date
cs4LabelApproverField’s label
cs4AdministratorApprover User
cs5LabelRequesterField’s label
cs5Steven LeeRequesting User
Cs6ActionField’s label
Cs7View PasswordAction’s description
Request disapproved
KeyExampleDescription
msgInformation ’test’ viewed.
suidLogged User
snameSteven LeeName of the logged user
suserstleelogged user’s username
spidProcess PID
dst.10.156Target IP
dptNot used
dusercqssRequested user login
cs1LabelGMUDField’s label
cs1File’s ID
cs2LabelValidity StartField’s label
cs2-01-19 10:41:00Request start date
cs3LabelValidity EndField’s label
cs3-01-19 11:41:00Request expiration date
cs4LabelApproverField’s label
cs4AdministratorApprover User
cs5LabelRequesterField’s label
cs5Leia WestUser Requester
Cs6ActionField’s Label
Cs7View passwordAction description
Command Detected - Lock and Stop Session
KeyExampleDescription
msgAn audited command has been detected! Action: Command blocked and session interrupted
suidLogged user
snameCalebUser that started the session
susercalebUsername of the user that started the session
spidMessage Type
dst.0.1Target IP
dptPort used
duserusrmanutUser used to start the session
Command Detected - Block
KeyExampleDescription
msgAn audited command has been detected! Action: Command Notified and Allowed
suidLogged User
snameCalebUser that started the session
susercalebUsername of the user that started the session
spidMessage Type
dst.0.1Target IP
dptPort used
duserusrmanutUser used to start the session
Password change error
KeyExampleDescription
msgError changing password ’Windows SQL Test Remote App (192.168.30.55) - Domain User – ’stleeadm’: The device ’Windows SQL Test Remote App (192.168.30.55)’ has no Windows RPC connectivity
suidLogged User
snameStephen LeeName of the user that started the session
suserstleeUsername of the user that started the session
spidMessage Type
dst.30.55Target IP
dptNot applicable
duserstleeadmUser used to start the session
Warehouse archive changed
KeyExampleDescription
msgA session file has been modified!
suidUser logged
snameAsynchronous Script: 12Name of the logged user
suserasc_12Username of the logged user
spidProcess PID
dstNot applicable
dptNot applicable
duserNot applicable
cs1LabelIdField’s Label
cs1File’s ID
cs2LabelInitial SizeField’s Label
cs2Initial file size in bytes
cs3LabelFinal sizeField label
cs3Final file size in bytes
cs4LabelInitial ChecksumField label
cs4f5751777b74f8e2f2…Previously file checksum
cs5LabelFinal ChecksumField’s Label
cs5284f1555574548901…Current File Checksum
Master Key - User viewed his part of the key
KeyExampleDescription
msgUser has seen his part of the key request.
suidUser logged
snameStephen LeeName of the logged user
suserstleeUsername of the user that started the session
MethodPOST
actUser has seen his part of the key source
ServiceNameBackup
Master Key - User downloaded the PDF with his part of the key
KeyExampleDescription
msgUser downloaded the PDF with his part of the key request.
suidUser logged
snameStephen LeeName of the logged user
suserstleeUsername of the user that started the session
MethodPOST
actUser downloaded the PDF with his part of the key source
ServiceNameBackup
Master Key - Ceremony process initiated
KeyExampleDescription
msgCeremony process started.
suidUser logged
snameJosé da SilvaName of the logged user
suserjsilvaUsername of the user that started the session
sprivAdministrator
MethodPOSTFixed value
actCeremony process startedAction performed
ServiceNameBackup
Master Key - Ceremony process finished
KeyExampleDescription
msgCeremony process completed.
suidUser logged
snameJosé da SilvaName of the logged user
suserjsilvaUsername of the user that started the session
sprivAdministrator
MethodGET
actCeremony process completed
ServiceNameBackup
Master Key - Master key guardian inactive
KeyExampleDescription
msgMaster key guardian inactice.
suid
sname
suser
sprivUser
dvc.225.14
spid
actIncident
dprocmaster_key_guardian
Master Key - Failed recovery attempt
KeyExampleDescription
msgFailed recovery attempt.The used key fractions are invalid
requestMethodPOSTFixed value
actFailed recovery attemptMaster key recovery failure type
sourceServiceNameMaster KeyOperation module
originIP.148.162Request user IP
countryBrazilRequest geo location country
stateSao PauloRequest geo location state
cityTaboao da SerraRequest geo location city
latitudeRequest geo location GPS latitude
longitudeRequest geo location GPS longitude
partsNeededFractions needed to accomplish the recovery
partsSentAttempt number of sent fractions
suidLogged user id
snameLogged user name
suserLogged username
sprivUserApplication layer
dvc.2.17Device host IPv4
spidInternal PID
src.0.1Source IP Address
actIncidentAction performed
dprocmaster_key_guardianDestination process name
Master Key - Successful recovery attempt
KeyExampleDescription
msgSuccessful recovery attempt.The used key fractions are valid
requestMethodPOSTFixed value
actSuccessful recovery attemptMaster key recovery successful type
sourceServiceNameMaster KeyOperation module
originIP.10.13Request user IP
countryBrazilRequest geo location country
stateSao PauloRequest geo location state
cityTaboao da SerraRequest geo location city
latitudeRequest geo location GPS latitude
longitudeRequest geo location GPS longitude
partsNeededFractions needed to accomplish the recovery
partsSentAttempt number of sent fractions
suidLogged user id
snameLogged user name
suserLogged username
sprivUserApplication layer
dvc.10.20Device host IPv4
spidInternal PID
src.10.13Source IP Address
actIncidentAction performed
dprocmaster_key_guardianDestination process name
Scheduling email reports - Creation
KeyExampleDescription
dvc.20.30senhasegura Server IP
spidProcess ID in Operating System
src.20.10IP of the user who performed the operation
suidUser ID that performed the operation
snameJohn DoeUser name that performed the operation
suserjdoeUsername of the user who performed the operation
sprivAdministratorPrivilege Senhora Used to perform the operation
msgReport scheduling - CreationOperation that was performed
requestMethodPOSTHTTP method used client hair
actReport scheduling - CreationOperation that was performed
sourceServiceNameReport schedulingOperation category that was performed
cs1LabelUserLabel from the requesting user name
cs1John DoeApplicant User Name
cs2LabelUser IDUser ID Label
cs2User ID
cs3LabelScheduleLabel from the name of the schedule
cs3My scheduleScheduling Name
cs4LabelSchedule IDLabel Scheduling ID
cs4Scheduling ID
cs5LabelAdded reportsLabel from added reports
cs5Settings -> Authentication -> Multi-factor authentication -> ProvidersAdded reports
cs7LabelAdded usersLabel from added users
cs7jdoe - John DoeUsers added to receive notification
Scheduling email reports - Update
KeyExampleDescription
dvc.20.30senhasegura Server IP
spidProcess ID in Operating System
src.20.10IP of the user who performed the operation
suidUser ID that performed the operation
snameJohn DoeUser name that performed the operation
suserjdoeUsername of the user who performed the operation
sprivAdministratorPrivilege Senhora Used to perform the operation
msgReport scheduling - UpdateOperation that was performed
requestMethodPOSTHTTP method used client hair
actReport scheduling - UpdateOperation that was performed
sourceServiceNameReport schedulingOperation category that was performed
cs1LabelUserLabel from the requesting user name
cs1John DoeApplicant User Name
cs2LabelUser IDUser ID Label
cs2User ID
cs3LabelScheduleLabel from the name of the schedule
cs3My scheduleScheduling Name
cs4LabelSchedule IDLabel Scheduling ID
cs4Scheduling ID
cs5LabelAdded reportsLabel from added reports
cs5NoneAdded reports
cs6LabelRemoved reportsLabel from the reports removed
cs6NoneRemoved reports
cs7LabelAdded usersLabel from added users
cs7NoneAdded Users
cs8LabelRemoved usersLabel from users removed
cs8NoneRemoved users
Scheduling email reports - Deletion
KeyExampleDescription
dvc.20.30senhasegura Server IP
spidProcess ID in Operating System
src.20.10IP of the user who performed the operation
suidUser ID that performed the operation
snameJohn DoeUser name that performed the operation
suserjdoeUsername of the user who performed the operation
sprivAdministratorPrivilege Senhora Used to perform the operation
msgReport scheduling - DeletionOperation that was performed
requestMethodPOSTHTTP method used client hair
actReport scheduling - DeletionOperation that was performed
sourceServiceNameReport schedulingOperation category that was performed
cs1LabelUserLabel from the requesting user name
cs1John DoeApplicant User Name
cs2LabelUser IDUser ID Label
cs2User ID
cs3LabelScheduleLabel from the name of the schedule
cs3My scheduleScheduling Name
cs4LabelSchedule IDLabel Scheduling ID
cs4Scheduling ID
info

See the Appendix chapter to consult the Table with Possible Values for System Services and Listeners