Identity Cloud SIEM Events

One important tool in the battle to keep networks, computers, and data safe is SIEM: Security Information and Event Management. SIEM systems (such as Splunk Enterprise Security, IBM Security QRadar SIEM, and ArcSight Enterprise Security Manager) are designed to:

  • Import logs and other files from multiple devices (with “devices” meaning anything from software to computers to routers and other types of hardware).
     
  • “Normalize” these disparate log files into a standardized format. For example, out-of-the-box Splunk can combine data extracted from such disparate sources as Apache log files, comma-separated value files, and syslog files (to name just a few).
     
  • Provide tools for real-time (or near real-time) incident detection and trend analysis, and do so across an organization’s entire spectrum of devices.

For example, by analyzing log files a SIEM system might detect an out-of-the-ordinary flurry of login attempts, an unusual occurrence that could signal the onset of a denial of service attack. By itself SIEM software cannot prevent the attack. However, by alerting you to the situation in near real-time, SIEM enables you to take action that helps prevent the attack, or at least enables you to stop the attack and limit any damage.

SIEM tools such as Splunk or QRadar typically import data formatted as either LEEF (Log Event Extended Format) files or as CEF (Common Event Format) files; however, neither of these formats are required. And that’s good, because the General Event Delivery system uses neither the LEEF nor the CEF format. Instead, SIEM events are formatted as JSON (JavaScript Object Notation) files similar to this:

{
    "id":
    "message": {
        "app_id": "htb8fuhxnf8e38jrzub3c7pfrr",
        "client_id": "nmub5w3rru9k6rzupqaeb7bbwv6jn658",
        "endpoint_uri": "http://documentation.akamai.com/widget/traditional_signin.jsonp",
        "event_type": "legacy_traditional_signin",
        "forward_headers": [
            {
                "name": "HTTP_X_FORWARDED_FOR",
                "value": "192.168.1.1, 192.168.1.2, 192.168.1.3"
            },
            {
                "name": "HTTP_X_FORWARDED_PROTO",
                "value": "http"
            },
            {
                "name": "HTTP_X_FORWARDED_PORT",
                "value": "80"
            }
        ],
        "ip_address": "192.168.1.1",
        "origin": "https://login.documentation.akamai.com/",
        "user_agent": "Mozilla/5.0 (Android 8.1.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0",
        "user_uuid": "437920f3-85dd-4cb7-ba8c-7025faea1d2c"
    },
    "msts": 1566206726081,
    "type:" "siem#legacy_traditional_signin"
}  

See Using Identity Cloud SIEM Events and SIEM Applications for more information.

It’s worth mentioning that all allowed events will be available in your SIEM delivery feeds (although organizations do have the option to remove events from those feeds, and to re-add those events later on as needed). Note that this differs from the Identity Cloud’s initial (and now-discontinued) SIEM offering, which exposed only a handful of events, all centered around logins, registrations, and user profile updates.

We should also note that, at this point in time, SIEM event delivery is something of a “manual” process: JSON files are automatically delivered to an Amazon S3 bucket as .ZIP files (see How the SIEM Event Delivery Service Works), but from there organizations must manually download the .ZIP files, extract the JSON files contained inside those .ZIP files, then import the JSON files to a SIEM analytic tool.