Jump to content

John Berkers

Members
  • Posts

    2
  • Joined

  • Last visited

  • Days Won

    1

John Berkers last won the day on October 13 2023

John Berkers had the most liked content!

John Berkers's Achievements

  1. We would like to request the same. We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation. The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions. Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier. We don't really care which standard is followed, so long as it is consistent. Formats typically supported by SIEMs are: LEEF CEF JSON Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2) We would be looking for the following information in the logs (not necessarily in this order): For password operations: Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to password list (group/folder structure) PasswordList ID PasswordEntry Title PasswordEntry ID PasswordEntry Username For authentication events: Authentication could be split across multiple logs Authentication against Primary Authentication Server Authentication against additional Authentication server (eg. MFA, token, etc) For these we would expect Authentication Server Name Authentication Method (AD, LDAP, SAML, OAuth, etc) Auth status (success/fail) Auth status reason (if available) eg. account locked, account disabled, account does not exist, etc For host operations: Operation Performed Who performed it (domain\user or user@domain.net, display name is optional, or API) Client IP/hostname Result (Success/Fail) Full path to host (group/folder structure) HostEntry ID HostEntry Hostname HostEntry Site HostEntry IP Connection Port Some additional information may be useful, but this would be among the minimum critical information. Hopefully enough people are interested in this to make it happen. Regards, JohnB
×
×
  • Create New...