Absent Member.
Absent Member.
921 views

RSA 8.1: Unified SNMP connector, additionally data needed

Hello all,

currently I'm on the onboarding of an RSA 8.1 environment.

The RSA Authentication Manager (Version 8.1 SP 1 P 10) is sending V3 SNMP traps to our Unified SNMP connector (Version 7.1.4.7475.0) and we receiving RSA events at our ESM.

The first impression was, we getting all events with the needed parsed fields. But after a check I realize that some important "fields" are missing.

The connector is parsing the main information into the ArcSight fields, like action, user (who take the action), outcome....

But I miss the information, on what objects did the user the action.

As example "EXPORT_SOFT_TOKEN"

RSA sends out all information we need. The information of the regarding Token-ID & User-Name is located into the two "Object" areas. (see below)

But these information aren't within the ArcSight events!

There are a lot of messages which are providing these two "objects" with additional data, which are important for the analyses.

So my question is, how can I add these information's to the current events?????

Trap example:

Received SNMPv3 trap

                Port : 162

                Generating Agent : xxxxxxxxx

                Sending Agent : 10.xx.xx.xx/53188

                Time Stamp : 1369105420

                Enterprise OID : 1.3.6.1.4.1.2197.30.28.3

                Trap Type : 20089

                Var Binds:3

VarBind #0

                1.3.6.1.4.1.2197.20.16.5.0

                StringValue: INFO

                TimeStamp: 0

                Type: OctetString

                Value: INFO

VarBind #1

                1.3.6.1.4.1.2197.20.16.6.0

                StringValue: Admin event {ID: 17cdeffa2150fe0a19ac2c6b08bf758b, time: Wed Jan 27 11:29:02 CET 2016, client: 10.xx.xx.xx, user: User [ID: 000000000000000000001000d0021000, session ID: cb2a506d2150fe0a1ade0a095854f116-xt/8I5gIyYVE, login name: suadmin, first name: Admin, last name: Admin, security domain ID: 000000000000000000001000e0011000, identity source ID: 000000000000000000001000d0011000], action: EXPORT_SOFT_TOKEN, action id: 20089, result: SUCCESS, reason: null, object 1: Domain object [ID: 998a4e9f2150fe0a1ae9f6b3aa0ef85e, name: 000232610044, type: DomainObjectType[AM_TOKEN], security domain ID: 000000000000000000001000e0011000, identity source ID: null], object 2: PrincipalDomainObjectDetails{ID=08bc01be2150fe0a1b4b0ff5d6c9d5a5, Name='userabc', Identity Source Id='000000000000000000001000d0011000', Security Domain Id='000000000000000000001000e0011000'Domain Object Type [ Type : PRINCIPAL]}, arguments: []}

                TimeStamp: 0

                Type: OctetString

                Value: Admin event {ID: 17cdeffa2150fe0a19ac2c6b08bf758b, time: Wed Jan 27 11:29:02 CET 2016, client: 10.xx.xxx.xx, user: User [ID: 000000000000000000001000d0021000, session ID: cb2a506d2150fe0a1ade0a095854f116-xt/8I5gIyYVE, login name: suadmin, first name: Admin, last name: Admin, security domain ID: 000000000000000000001000e0011000, identity source ID: 000000000000000000001000d0011000], action: EXPORT_SOFT_TOKEN, action id: 20089, result: SUCCESS, reason: null, object 1: Domain object [ID: 998a4e9f2150fe0a1ae9f6b3aa0ef85e, name: 000232610044, type: DomainObjectType[AM_TOKEN], security domain ID: 000000000000000000001000e0011000, identity source ID: null], object 2: PrincipalDomainObjectDetails{ID=08bc01be2150fe0a1b4b0ff5d6c9d5a5, Name='userabc', Identity Source Id='000000000000000000001000d0011000', Security Domain Id='000000000000000000001000e0011000'Domain Object Type [ Type : PRINCIPAL]}, arguments: []}

VarBind #2

                1.3.6.1.4.1.2197.20.16.8.0

                StringValue:

                TimeStamp: 0

                Type: OctetString

                Value: ,suadmin,Admin Admin,RSA,Authentication Manager

Labels (3)
0 Likes
7 Replies
Commander Commander
Commander

Can you turn on "Preserve Raw Events" on your SmartConnector for SNMPv3 RSA, and post (with sensitive data obfuscated) the event data from "Raw Event"? This will help identify what you are getting sent to ArcSight SmartConnectors from the RSA via SNMPv3.

-----------
The first civilian U.S. Government contractor to utilize ArcSight circa 2000 (http://ow.ly/HdtU30ffUDY). Harris Corporation | Technology to Connect, Inform and Protect. | https://www.harris.com
0 Likes
Absent Member.
Absent Member.

Hi Nicholas,

the given example is the Raw Event, which is attached to the ArcSight Event.

ArcSight parses the following data into ArcSight fields:

VarBind #1

1.3.6.1.4.1.2197.20.16.6.0

StringValue: Admin event {ID: 17cdeffa2150fe0a19ac2c6b08bf758b, time: Wed Jan 27 11:29:02 CET 2016, client: 10.xx.xx.xx, user: User [ID: 000000000000000000001000d0021000, session ID: cb2a506d2150fe0a1ade0a095854f116-xt/8I5gIyYVE, login name: suadmin, first name: Admin, last name: Admin, security domain ID: 000000000000000000001000e0011000, identity source ID: 000000000000000000001000d0011000], action: EXPORT_SOFT_TOKEN, action id: 20089, result: SUCCESS, reason: null, object 1: Domain object [ID: 998a4e9f2150fe0a1ae9f6b3aa0ef85e, name: 000232610044, type: DomainObjectType[AM_TOKEN], security domain ID: 000000000000000000001000e0011000, identity source ID: null], object 2: PrincipalDomainObjectDetails{ID=08bc01be2150fe0a1b4b0ff5d6c9d5a5, Name='userabc', Identity Source Id='000000000000000000001000d0011000', Security Domain Id='000000000000000000001000e0011000'Domain Object Type [ Type : PRINCIPAL]}, arguments: []}

client: --> destinationAddress

user: --> destinationUserId

session ID: --> deviceCustomString1

login name: --> destinationUserName

first name: + last name: --> deviceCustomString2

security domain: --> deviceCustomString3

identity source ID --> not set

action: --> name / deviceAction

action id: --> deviceEventClassId

result: --> eventOutcome

reason: --> message

That is all what I can find into the ArcSight event.

The following fields are missing:

object 1 -> Domain object

object 1 -> name

object 1 -> type

object 2 -> PrincipalDomainObjectDetails

object 2 -> Name

In this case, there are several other RSA events with also useful information within the two "object's", ArcSight provides my only the information that an Admin has export a Token, but no information for which user (object2 Name) and Token-ID (object1 name)

In other cases, like "CREATE_PRINCIPAL", same issue.... the username of the new user is stored at object1-name... which is missing. Or if someone add a user to an admin-role. ArcSight provides my only the information who did that and not whom is the new user in which admin-group.

0 Likes
Absent Member.
Absent Member.

Hi Alex,

if you find the "additional" information being parsed into the "Raw Event Field" but not normalized to the foreseen CEF fields, you might have three options to go further:

1. Check, if the good and old "Turbo Modes" are configured to more restrictive ones. Use "Complete" for testing purpose.

2. Describe the situation to support asking for some additional mappings to be realized through "connector patching".

3. Writing your own SNMP based flex connector.

Keep in mind, that also ESM has a turbo mode which must be set accordingly to ensure event completeness as desired.

If the turbo modes do not solve your problem, please check also back with support and consider to patch your connector or write your own flex.

HTH,

Markus

0 Likes
Commodore
Commodore

If it is coming in as additional data then you can map it from ESM to one of the free deviceCustom or FlexCustom fields.

To check if there are any additional data fields do the following:

-     Right click connector.

-     Send Command-->Mapping-->Get Additional Data names.

Check if Turbo mode is set correctly as mentioned above as otherwise additional data fields would be discarded when ingested into ESM.

Then map as followed:

-     Right click connector.

-     Send Command-->Mapping-->Map Additional Data name.

Fill in Additional dataname field, vendor, product and ArcSight Field.

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Try creating a parser override:

file: <ArcSightSmartConnector>/current/user/agent/fcp/rsaims_snmp/rsaims_file.sdkkeyvaluefilereader.properties

Add the following two lines:

event.sourceUserName=object 1

event.sourceUserId=object 2

Restart the agent and see if you get the full "object 1" and "object 2" from your snmp trap into those respective fields.

0 Likes
Absent Member.
Absent Member.

Hi Marc & Markus,

Turbo Mode was already set to "complete" and "Get Additional Data" didn't deliver any new data fields 😞

I'll now followup with parser override

0 Likes
Ensign
Ensign

Hi Alexander, were you able to map the additional fields ?  Pls, share your results.

Thks

Mario

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.