Identity Manager custom audit events

1 Likes

Auditing

The Identity Manager - Administrator’s Guide to Configure Auditing provides the information necessary to set up Identity Manager components for auditing events.

Custom engine events

Besides the predefined events that are generated automatically if enabled on the driver or driverset, one can also generate custom events from policy. This allows for business context (hire, transfer, …) to be injected into the event stream.

Custom event ids must be in the range 1000 - 1999 (0x3E8 – 0x7CF). A few have been reserved for internal use and must not be used:

ID (dec) ID (hex) Description
1200 0x4B0 Account Create By Entitlement Grant
1201 0x4B1 Account Delete By Entitlement Revoke
1202 0x4B2 Account Disable By Entitlement Revoke
1203 0x4B3 Account Enable By Entitlement Grant
1230 0x4CE Driver Health State Changed

The help text for the do-generate-event token still uses the deprecated NAudit field names. Nowadays you can use any valid CEF Extensions Keys as string names. See the dictionary of standard Extension Keys.

There is one non-standard string name: event_name. It allows you to override the EventName field in the CEF header (the evt/EventName field in Sentinel).

The Severity header is set from the log level.

The following extensions are automatically populated for all custom events by the engine:

CEF extension Description
rt Current time in milliseconds since the epoch
dvchost Canonical hostname
dvc IP address
dtz Device time zone
cat Component name (DirXML\\Driver)
deviceProcessName Originator (Driver)
cs5 Correlation id
cn2 Event group id

You can use placeholders (identified by curly brackets) for the msg extension to refer to other extension values. , e.g. {suser}.

Here’s a sample do-generate-event call that sets some sensible defaults that should work with both Sentinel and ArcSight (or other CEF consumers):

<do-if>
  <arg-conditions>
    <and>
      <if-dest-dn op="available"/>
    </and>
  </arg-conditions>
  <arg-actions>
    <do-set-local-variable name="destDnOrAssociation" scope="policy">
      <arg-string>
        <token-dest-dn/>
      </arg-string>
    </do-set-local-variable>
  </arg-actions>
  <arg-actions>
    <do-set-local-variable name="destDnOrAssociation" scope="policy">
      <arg-string>
        <token-association/>
      </arg-string>
    </do-set-local-variable>
  </arg-actions>
</do-if>
<do-generate-event id="1000" level="log-alert">
  <arg-string name="event_name">
    <token-text xml:space="preserve">MyCustomSubscriberEvent1000</token-text>
  </arg-string>
  <arg-string name="externalId">
    <token-xpath expression="@event-id"/>
  </arg-string>
  <arg-string name="suser">
    <token-src-dn/>
  </arg-string>
  <arg-string name="suid">
    <token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
      <token-xpath expression="@qualified-src-dn"/>
    </token-parse-dn>
  </arg-string>
  <arg-string name="duser">
    <token-dest-dn/>
  </arg-string>
  <arg-string name="duid">
    <token-association/>
  </arg-string>
  <arg-string name="filePath">
    <token-local-variable name="destDnOrAssociation"/>
  </arg-string>
  <arg-string name="fileType">
    <token-class-name/>
  </arg-string>
  <arg-string name="msg">
    <token-text xml:space="preserve">{act} object of type {fileType}: channel:{deviceProcessName} src-dn:{suser} object:{duser} result:{outcome} reason:{reason}</token-text>
  </arg-string>
  <arg-string name="reason">
    <token-text xml:space="preserve">reason</token-text>
  </arg-string>
  <arg-string name="request">
    <token-local-variable name="destDnOrAssociation"/>
  </arg-string>
  <arg-string name="requestMethod">
    <token-operation/>
  </arg-string>
  <arg-string name="act">
    <token-operation/>
  </arg-string>
  <arg-string name="cs1Label">
    <token-text xml:space="preserve">Attribute Name</token-text>
  </arg-string>
  <arg-string name="cs1">
    <token-xpath expression="*[@attr-name and 1]/@attr-name"/>
  </arg-string>
  <arg-string name="cs6Label">
    <token-text xml:space="preserve">Attribute Value</token-text>
  </arg-string>
  <arg-string name="cs6">
    <token-xpath expression="descendant::value[1]/text()"/>
  </arg-string>
  <arg-string name="outcome">
    <token-text xml:space="preserve">Failure</token-text>
  </arg-string>
  <arg-string name="sproc">
    <token-global-variable name="dirxml.auto.localserverdn"/>
  </arg-string>
</do-generate-event>
<do-generate-event id="1001" level="log-info">
  <arg-string name="event_name">
    <token-text xml:space="preserve">MyCustomNoAdditionalStringsEvent1001</token-text>
  </arg-string>
</do-generate-event>

CEF

The resulting CEF event then looks like this:

CEF:0|NetIQ|Identity Manager|4.8.4.0|303E8|MyCustomSubscriberEvent1000|9|msg=modify object of type User: channel:system\\driverset1\\REST-Sentinel\\Subscriber src-dn:\\IDM48\_TREE\\data\\users\\idm-sentinel-user-driver10407user object: result:Failure reason:reason cs1=Description sproc=CN\=engine,OU\=servers,O\=system reason=reason request=https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 rt=1650977701654 duid=https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 cs5=REST-Sentinel#Subscriber#27eff4e6-e567-4e24-bb60-e6f4ef2767e5 requestMethod=modify cs1Label=Attribute Name suid=CN\=idm-sentinel-user-driver10407user,OU\=users,O\=data cs6Label=Attribute Value dvc=172.30.1.24 act=modify dvchost=engine.example.com cat=DirXML\\\\Driver deviceProcessName=system\\driverset1\\REST-Sentinel\\Subscriber outcome=Failure cs5Label=correlationid cn2=1650977701647 filePath=https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104 externalId=engine#20220426125501#1#1:27eff4e6-e567-4e24-bb60-e6f4ef2767e5 dtz=GMT suser=\\IDM48\_TREE\\data\\users\\idm-sentinel-user-driver10407user cn2Label=Event Group ID fileType=User cs6=description10407-8

Or formatted for better readability:

Field Value
CEF Header
Version 0
DeviceVendor NetIQ
DeviceProduct Identity Manager
DeviceVersion 4.8.4.0
SignatureID 303E8
Name MyCustomSubscriberEvent1000
Severity 9
CEF Extensions
act modify
cat DirXML\Driver
cn2 1650977701647
cn2Label Event Group ID
cs1 Description
cs1Label Attribute Name
cs5 REST-Sentinel#Subscriber#3c8e2b68-a9d3-488b-ade7-682b8e3cd3a9
cs5Label correlationid
cs6 description10407-8
cs6Label Attribute Value
deviceProcessName system-Sentinel
dtz GMT
duid https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104
dvc 172.30.1.24
dvchost engine.example.com
externalId engine#20220426110442#1#1:3c8e2b68-a9d3-488b-ade7-682b8e3cd3a9
filePath https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104
fileType User
msg modify object of type User: channel:system-Sentinelsrc-dn:CN=idm-sentinel-user-driver10407user,OU=users,O=data object: result:Failure reason:reason
outcome Failure
reason reason
request https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104
requestMethod modify
rt 1650971082724
sproc CN=engine,OU=servers,O=system
suid CN=idm-sentinel-user-driver10407user,OU=users,O=data
suser _TREE-sentinel-user-driver10407user
CEF Extensions by Label
Attribute Name Description
Attribute Value description10407-8
Event Group ID 1650977701647
correlationid REST-Sentinel#Subscriber#27eff4e6-e567-4e24-bb60-e6f4ef2767e5

Sentinel

For custom IDM events, the Universal CEF collector parses the following extensions keys by default:

CEF extension Sentinel Field (id) Sentinel Field (name)
dvc obsip ObserverIP
dvchost sn ObserverHostName
externalId sessid SessionID
fileType dnewtype TargetResourceType
msg msg Message
outcome voc VendorOutcomeCode
reason rv221 CEFReason
request rv224 RequestUrl
requestMethod rv225 RequestMethod
rt dt EventTime

Unfortunately, none of the InitiatorUser/Service and TargetUser/Data fields are populated in Sentinel for custom IDM events. To achieve this, you have to customize the Universal CEF Collector. Specifically, the processCustomEvents() function in idm.js. Much of the required code can be borrowed from processVrdimEvents().

The resulting event in Sentinel then looks like this:

Field Name Field Id Value
Important Data Fields
CollectorNodeName port Universal Common Event Format
EventName evt MyCustomSubscriberEvent1000
EventTime dt 1650971082726 (Tue Apr 26 2022 13:04:42 GMT+0200 (CEST))
InitiatorServiceComponent isvcc Driver
InitiatorServiceName sp DirXML
Message msg modify object of type User: channel:system-Sentinelsrc-dn:CN=idm-sentinel-user-driver10407user,OU=users,O=data object: result:Failure reason:reason
Severity sev 5
SourceIP sip 172.30.1.24
Extended Data Fields
CEFReason rv221 reason
CollectorID rv22 E0CA2D83-01B6-103A-98AF-000C2915A316 (Universal Common Event Format)
CollectorManagerID rv21 C76D2820-C395-1029-BB86-001321B5C0B3 (Sentinel Server)
CollectorPluginID rv122 0AE79BE0-A1DD-1035-B570-00059A3C7A00
CollectorPluginName agent Universal Common Event Format
ConnectorID rv23 E0CA2D83-01B6-103A-98B0-000C2915A316 (Syslog Connector)
DeviceVersion deviceversion 4.8.4.0
EventID id 075EC952-A776-103A-99AB-000C2915A316
EventSourceID rv24 CD222CC9-34D7-103A-8296-000C2915A316 (172.30.1.24:Syslog:Map Output (idm))
EventTimeDelta rv109 0
MaxRetentionDate rv165 1658793600000
MinRetentionDate rv164 1658793600000
ObserverCategory rv32 IDM
ObserverEventTime det 1650971082724
ObserverHostClass obsclass infra svc
ObserverHostCriticality obscrit high
ObserverHostDepartment obsdep burgundy
ObserverHostDomain obsdom example.com
ObserverHostName sn engine
ObserverIP obsip 172.30.1.24
ObserverServiceComponent rv150 DirXML\Driver
ObserverServiceName obssvcname IdentityManager
ObserverTZ estz Europe/Berlin
ObserverTZDayInMonth estzdim 26
ObserverTZDayInWeek estzdiw 3
ObserverTZDayInYear estzdiy 116
ObserverTZHour estzhour 13
ObserverTZMinute estzmin 4
ObserverTZMonth estzmonth 3
ObserverType st N
ProductName pn NetIQ Identity Manager
RawDataRecordId rv25 A85EC952-A776-103A-9907-000C2915A316
ReporterHostClass repclass infra svc
ReporterHostCriticality repcrit high
ReporterHostDepartment repdep burgundy
ReporterIP repip 172.30.1.24
RequestMethod rv225 modify
RequestUrl rv224 https://sentinel.example.com:8443/SentinelRESTServices/objects/user/104
RetentionPolicyID rv171 408E7E50-C02E-4325-B7C5-2B9FE4853476
RetentionPolicyName rv192 Standarddatenbeibehaltung
SearchTargetID rv172 3B190B70-0195-103A-96F2-000C2915A316
SentinelID rv121 3B190B70-0195-103A-9640-000C2915A316
SentinelProcessTime spt 1650971082726 (Tue Apr 26 2022 13:04:42 GMT+0200 (CEST))
SentinelProcessingComponent rt2 Universal Common Event Format
SentinelServiceID src E0CA2D83-01B6-103A-98AF-000C2915A316
SessionID sessid engine#20220426110442#1#1:3c8e2b68-a9d3-488b-ade7-682b8e3cd3a9
SourceHostClass rv59 infra svc
SourceHostCriticality rv62 high
SourceHostDepartment rv76 burgundy
TargetHostID rv99 0
TargetResourceType dnewtype User
TenantHierarchyID rv1 0
TenantID tid 1
TenantName rv39 default
VendorEventCode rv40 000303E8
VendorOutcomeCode voc Failure
Vulnerability vul 0

Tags:

Labels:

How To-Best Practice
Comment List
Related
Recommended