Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
The Identity Manager - Administrator’s Guide to Configure Auditing provides the information necessary to set up Identity Manager components for auditing events.
Besides the predefined events that are generated automatically if enabled on the driver or driverset, one can also generate custom events from policy. This allows for business context (hire, transfer, …) to be injected into the event stream.
Custom event ids must be in the range 1000 - 1999
(0x3E8 – 0x7CF
). A few have been reserved for internal use and must not be used:
ID (dec) | ID (hex) | Description |
---|---|---|
1200 | 0x4B0 | Account Create By Entitlement Grant |
1201 | 0x4B1 | Account Delete By Entitlement Revoke |
1202 | 0x4B2 | Account Disable By Entitlement Revoke |
1203 | 0x4B3 | Account Enable By Entitlement Grant |
1230 | 0x4CE | Driver Health State Changed |
The help text for the do-generate-event
token still uses the deprecated NAudit field names. Nowadays you can use any valid CEF Extensions Keys as string names. See the dictionary of standard Extension Keys.
There is one non-standard string name: event_name
. It allows you to override the EventName
field in the CEF header (the evt/EventName
field in Sentinel).
The Severity
header is set from the log level.
The following extensions are automatically populated for all custom events by the engine:
CEF extension | Description |
---|---|
rt | Current time in milliseconds since the epoch |
dvchost | Canonical hostname |
dvc | IP address |
dtz | Device time zone |
cat | Component name (DirXML\\Driver ) |
deviceProcessName | Originator (Driver) |
cs5 | Correlation id |
cn2 | Event group id |
You can use placeholders (identified by curly brackets) for the msg
extension to refer to other extension values. , e.g. {suser}
.
Here’s a sample do-generate-event
call that sets some sensible defaults that should work with both Sentinel and ArcSight (or other CEF consumers):
<do-if>
<arg-conditions>
<and>
<if-dest-dn op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="destDnOrAssociation" scope="policy">
<arg-string>
<token-dest-dn/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="destDnOrAssociation" scope="policy">
<arg-string>
<token-association/>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
<do-generate-event id="1000" level="log-alert">
<arg-string name="event_name">
<token-text xml:space="preserve">MyCustomSubscriberEvent1000</token-text>
</arg-string>
<arg-string name="externalId">
<token-xpath expression="@event-id"/>
</arg-string>
<arg-string name="suser">
<token-src-dn/>
</arg-string>
<arg-string name="suid">
<token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
<token-xpath expression="@qualified-src-dn"/>
</token-parse-dn>
</arg-string>
<arg-string name="duser">
<token-dest-dn/>
</arg-string>
<arg-string name="duid">
<token-association/>
</arg-string>
<arg-string name="filePath">
<token-local-variable name="destDnOrAssociation"/>
</arg-string>
<arg-string name="fileType">
<token-class-name/>
</arg-string>
<arg-string name="msg">
<token-text xml:space="preserve">{act} object of type {fileType}: channel:{deviceProcessName} src-dn:{suser} object:{duser} result:{outcome} reason:{reason}</token-text>
</arg-string>
<arg-string name="reason">
<token-text xml:space="preserve">reason</token-text>
</arg-string>
<arg-string name="request">
<token-local-variable name="destDnOrAssociation"/>
</arg-string>
<arg-string name="requestMethod">
<token-operation/>
</arg-string>
<arg-string name="act">
<token-operation/>
</arg-string>
<arg-string name="cs1Label">
<token-text xml:space="preserve">Attribute Name</token-text>
</arg-string>
<arg-string name="cs1">
<token-xpath expression="*[@attr-name and 1]/@attr-name"/>
</arg-string>
<arg-string name="cs6Label">
<token-text xml:space="preserve">Attribute Value</token-text>
</arg-string>
<arg-string name="cs6">
<token-xpath expression="descendant::value[1]/text()"/>
</arg-string>
<arg-string name="outcome">
<token-text xml:space="preserve">Failure</token-text>
</arg-string>
<arg-string name="sproc">
<token-global-variable name="dirxml.auto.localserverdn"/>
</arg-string>
</do-generate-event>
<do-generate-event id="1001" level="log-info">
<arg-string name="event_name">
<token-text xml:space="preserve">MyCustomNoAdditionalStringsEvent1001</token-text>
</arg-string>
</do-generate-event>
The resulting CEF event then looks like this:
CEF:0|NetIQ|Identity Manager|4.8.4.0|303E8|MyCustomSubscriberEvent1000|9|msg=modify object of type User: channel:system\\driverset1\\REST-Sentinel\\Subscriber src-dn:\\IDM48\_TREE\\data\\users\\idm-sentinel-user-driver10407user object: result:Failure reason:reason cs1=Description sproc=CN\=engine,OU\=servers,O\=system reason=reason request=https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 rt=1650977701654 duid=https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 cs5=REST-Sentinel#Subscriber#27eff4e6-e567-4e24-bb60-e6f4ef2767e5 requestMethod=modify cs1Label=Attribute Name suid=CN\=idm-sentinel-user-driver10407user,OU\=users,O\=data cs6Label=Attribute Value dvc=172.30.1.24 act=modify dvchost=engine.example.com cat=DirXML\\\\Driver deviceProcessName=system\\driverset1\\REST-Sentinel\\Subscriber outcome=Failure cs5Label=correlationid cn2=1650977701647 filePath=https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 externalId=engine#20220426125501#1#1:27eff4e6-e567-4e24-bb60-e6f4ef2767e5 dtz=GMT suser=\\IDM48\_TREE\\data\\users\\idm-sentinel-user-driver10407user cn2Label=Event Group ID fileType=User cs6=description10407-8
Or formatted for better readability:
Field | Value |
---|---|
CEF Header | |
Version | 0 |
DeviceVendor | NetIQ |
DeviceProduct | Identity Manager |
DeviceVersion | 4.8.4.0 |
SignatureID | 303E8 |
Name | MyCustomSubscriberEvent1000 |
Severity | 9 |
CEF Extensions | |
act | modify |
cat | DirXML\Driver |
cn2 | 1650977701647 |
cn2Label | Event Group ID |
cs1 | Description |
cs1Label | Attribute Name |
cs5 | REST-Sentinel#Subscriber#3c8e2b68-a9d3-488b-ade7-682b8e3cd3a9 |
cs5Label | correlationid |
cs6 | description10407-8 |
cs6Label | Attribute Value |
deviceProcessName | system-Sentinel |
dtz | GMT |
duid | https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 |
dvc | 172.30.1.24 |
dvchost | engine.example.com |
externalId | engine#20220426110442#1#1:3c8e2b68-a9d3-488b-ade7-682b8e3cd3a9 |
filePath | https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 |
fileType | User |
msg | modify object of type User: channel:system-Sentinelsrc-dn:CN=idm-sentinel-user-driver10407user,OU=users,O=data object: result:Failure reason:reason |
outcome | Failure |
reason | reason |
request | https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 |
requestMethod | modify |
rt | 1650971082724 |
sproc | CN=engine,OU=servers,O=system |
suid | CN=idm-sentinel-user-driver10407user,OU=users,O=data |
suser | _TREE-sentinel-user-driver10407user |
CEF Extensions by Label | |
Attribute Name | Description |
Attribute Value | description10407-8 |
Event Group ID | 1650977701647 |
correlationid | REST-Sentinel#Subscriber#27eff4e6-e567-4e24-bb60-e6f4ef2767e5 |
For custom IDM events, the Universal CEF collector parses the following extensions keys by default:
CEF extension | Sentinel Field (id) | Sentinel Field (name) |
---|---|---|
dvc | obsip | ObserverIP |
dvchost | sn | ObserverHostName |
externalId | sessid | SessionID |
fileType | dnewtype | TargetResourceType |
msg | msg | Message |
outcome | voc | VendorOutcomeCode |
reason | rv221 | CEFReason |
request | rv224 | RequestUrl |
requestMethod | rv225 | RequestMethod |
rt | dt | EventTime |
Unfortunately, none of the InitiatorUser/Service and TargetUser/Data fields are populated in Sentinel for custom IDM events. To achieve this, you have to customize the Universal CEF Collector. Specifically, the processCustomEvents() function in idm.js. Much of the required code can be borrowed from processVrdimEvents().
The resulting event in Sentinel then looks like this:
Field Name | Field Id | Value |
---|---|---|
Important Data Fields | ||
CollectorNodeName | port | Universal Common Event Format |
EventName | evt | MyCustomSubscriberEvent1000 |
EventTime | dt | 1650971082726 (Tue Apr 26 2022 13:04:42 GMT+0200 (CEST)) |
InitiatorServiceComponent | isvcc | Driver |
InitiatorServiceName | sp | DirXML |
Message | msg | modify object of type User: channel:system-Sentinelsrc-dn:CN=idm-sentinel-user-driver10407user,OU=users,O=data object: result:Failure reason:reason |
Severity | sev | 5 |
SourceIP | sip | 172.30.1.24 |
Extended Data Fields | ||
CEFReason | rv221 | reason |
CollectorID | rv22 | E0CA2D83-01B6-103A-98AF-000C2915A316 (Universal Common Event Format) |
CollectorManagerID | rv21 | C76D2820-C395-1029-BB86-001321B5C0B3 (Sentinel Server) |
CollectorPluginID | rv122 | 0AE79BE0-A1DD-1035-B570-00059A3C7A00 |
CollectorPluginName | agent | Universal Common Event Format |
ConnectorID | rv23 | E0CA2D83-01B6-103A-98B0-000C2915A316 (Syslog Connector) |
DeviceVersion | deviceversion | 4.8.4.0 |
EventID | id | 075EC952-A776-103A-99AB-000C2915A316 |
EventSourceID | rv24 | CD222CC9-34D7-103A-8296-000C2915A316 (172.30.1.24:Syslog:Map Output (idm)) |
EventTimeDelta | rv109 | 0 |
MaxRetentionDate | rv165 | 1658793600000 |
MinRetentionDate | rv164 | 1658793600000 |
ObserverCategory | rv32 | IDM |
ObserverEventTime | det | 1650971082724 |
ObserverHostClass | obsclass | infra svc |
ObserverHostCriticality | obscrit | high |
ObserverHostDepartment | obsdep | burgundy |
ObserverHostDomain | obsdom | example.com |
ObserverHostName | sn | engine |
ObserverIP | obsip | 172.30.1.24 |
ObserverServiceComponent | rv150 | DirXML\Driver |
ObserverServiceName | obssvcname | IdentityManager |
ObserverTZ | estz | Europe/Berlin |
ObserverTZDayInMonth | estzdim | 26 |
ObserverTZDayInWeek | estzdiw | 3 |
ObserverTZDayInYear | estzdiy | 116 |
ObserverTZHour | estzhour | 13 |
ObserverTZMinute | estzmin | 4 |
ObserverTZMonth | estzmonth | 3 |
ObserverType | st | N |
ProductName | pn | NetIQ Identity Manager |
RawDataRecordId | rv25 | A85EC952-A776-103A-9907-000C2915A316 |
ReporterHostClass | repclass | infra svc |
ReporterHostCriticality | repcrit | high |
ReporterHostDepartment | repdep | burgundy |
ReporterIP | repip | 172.30.1.24 |
RequestMethod | rv225 | modify |
RequestUrl | rv224 | https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 |
RetentionPolicyID | rv171 | 408E7E50-C02E-4325-B7C5-2B9FE4853476 |
RetentionPolicyName | rv192 | Standarddatenbeibehaltung |
SearchTargetID | rv172 | 3B190B70-0195-103A-96F2-000C2915A316 |
SentinelID | rv121 | 3B190B70-0195-103A-9640-000C2915A316 |
SentinelProcessTime | spt | 1650971082726 (Tue Apr 26 2022 13:04:42 GMT+0200 (CEST)) |
SentinelProcessingComponent | rt2 | Universal Common Event Format |
SentinelServiceID | src | E0CA2D83-01B6-103A-98AF-000C2915A316 |
SessionID | sessid | engine#20220426110442#1#1:3c8e2b68-a9d3-488b-ade7-682b8e3cd3a9 |
SourceHostClass | rv59 | infra svc |
SourceHostCriticality | rv62 | high |
SourceHostDepartment | rv76 | burgundy |
TargetHostID | rv99 | 0 |
TargetResourceType | dnewtype | User |
TenantHierarchyID | rv1 | 0 |
TenantID | tid | 1 |
TenantName | rv39 | default |
VendorEventCode | rv40 | 000303E8 |
VendorOutcomeCode | voc | Failure |
Vulnerability | vul | 0 |