on May 28, 2020Better Together: SecurID Access with your SIEM Platform
Introduction
Everyone wants better visibility into the behaviors (or misbehaviors) of their users. We are often asked by customers a simple question. What should we watch out for?
The RSA SecurID® Access Cloud Authentication Service produces a large list of events for a variety of purposes. These are emitted from both the Cloud Service itself and the supporting Idenity Router virtual appliance clusters. These events are intended to be used for a variety of purposes, including:
- Security and Event monitoring
- System health
- Supporting audit activities
- Troubleshooting system or integration issues
These events fall under three major categories and severity levels: Administration, System and User events.
To help you get started, we have collated a shortlist of events that may be of interest. We emphasised events that were related to security and critical health warnings. Be warned! This list does not encapsulate every possible event of interest for your deployment and is not intended as an exhaustive list specific to your organisation.
RSA recommends augmenting this guidance with your knowledgeable delivery partner or with RSA Professional Services to help provide specific advice for YOUR organisation.
Furthermore, when alerting on events related to the SecurID Cloud Risk Engine, this provides an additional dimension of visibility around suspicious behaviour. This is relevant even if your organisation does not use the risk engine to drive down the frequency of user challenge - even organisations that wish to challenge specific apps or users can gain the benefits of the risk engine as a monitoring tool for user and device behaviour.
Please consult the full list of Cloud Service Events here: https://community.rsa.com/docs/DOC-99818
If you are a lucky customer that uses the RSA Netwitness Platform as your SIEM, consult the official documentation on how to connect it to the Cloud: https://community.rsa.com/api/core/v3/contents/26032/data?v=1
If you have another SIEM platform, also consult the following document on how to pull Cloud Service Events into your SIEM via the Cloud Event API: https://community.rsa.com/docs/DOC-96948
Cloud Administration Events
It is recommended that all administrative activity relating to SecurID Cloud Authentication Service be examined as this represents changes to a system that may have broad reaching consequences. A list of activities that should be monitored is presented in the following table.
Activity Key | Activity Code | Message | Suggested Action |
SIGNIN_FAILURE | 80002 | Admin {0} sign-in failed | Repeated failures should be alerted upon |
LOCKED_ADMIN_ACCOUNT | 80003 | System locked admin {0} account | Alert |
UNLOCKED_ADMIN_ACCOUNT | 80004 | System unlocked admin {0} account | Alert |
DELETE_POLICY | 80202 | Admin {0} deleted access policy {1} | Alert |
DELETE_IDR | 80302 | Admin {0} deleted identity router {1} | Alert |
RESET_IDR_PASSWORD | 80308 | Admin {0} reset the identity router {1} password | Alert |
DELETE_CLUSTER | 80322 | Admin {0} deleted cluster {1} | Alert |
DELETE_TRUSTED_LOCATION | 80902 | Admin {0} deleted trusted location {1} | Alert |
DELETE_ALL_TRUSTED_LOCATIONS | 80903 | Admin {0} deleted all trusted locations | Alert |
DELETE_TRUSTED_NETWORK | 81003 | Admin {0} deleted trusted network {1} | Alert |
DELETE_ALL_TRUSTED_NETWORK | 81004 | Admin {0} deleted all trusted networks | Alert |
DELETE_ADMIN_USER | 82002 | Admin {0} deleted admin user {1} | Alert |
DELETE_APPLICATION | 82302 | Admin {0} deleted application {1} | Alert |
DELETE_RELYING_PARTY | 82502 | Admin {0} deleted relying party {1} | Alert |
Cloud System Events
System events trigger the following messages to appear in the System Event Monitor.
Event Code | Level | Category | Description | Suggested Action |
2507 | error | Identity Source Sync | Identity source synchronization not completed successfully. | Alert |
2508 | notice | Identity Source Sync | Users are missing one or more unique identifiers. Check the user attribute configurations in both the cloud identity source and the directory server. | Alert |
20152 | error | Identity Router | Identity router cannot initiate contact with the Authentication Manager server. | Alert |
20155 | error | Identity Router | Identity router cannot connect to Authentication Manager - Unknown error. | Alert |
20161 | error | Identity Router | The identity router cannot connect to any configured identity sources. | Alert |
20162 | error | Identity Router | The identity router cannot connect to some configured identity sources. | Alert |
20165 | error | Identity Router | Some of the configured DNS servers are not working properly. | Alert |
20166 | error | Identity Router | None of the configured DNS servers are working properly. | Alert |
20184 | error | Identity Router | Identity router CPU usage exceeds the threshold limit. | Alert |
20187 | error | Identity Router | Cluster is offline and not in quorum. No configured identity routers are online. | Alert |
20189 | error | Identity Router | Identity router memory usage exceeds the threshold limit. | Alert |
Cloud User Events
Event Code | Level | Description | Suggested Action |
104 | error | Authenticate Tokencode authentication failed - Invalid tokencode. | Alert on repeated attempts |
105 | error | Authenticate Tokencode authentication failed - Previously used tokencode detected. | Alert on repeated attempts |
114 | error | Identity router API tokencode authentication failed - Cloud Authentication Service unreachable. | Alert – IDR unable to reach cloud |
117 | error | Identity router API user status check - Identity source unreachable. | Alert – LDAP unavailable |
213 | error | LDAP password authentication failed - Cannot establish a trusted SSL/TLS connection with the LDAP directory server. Check for invalid certificate. | Alert – LDAP unavailable |
215 | error | LDAP password authentication failed - Sign-in failure: unknown username or invalid password. | Repeated failures should be alerted upon |
224 | error | LDAP password authentication failed - LDAP account locked out. | Alert – user locked out |
409 | error | Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact identity router. | Alert – IDR unavailable from Cloud |
410 | error | Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - Unable to contact directory server. | Alert – LDAP unavailable for sync |
608 | error | RSA SecurID user authentication failed - RSA SecurID service is not available. | Repeated failures - alert – Cloud service down? |
906 | error | Portal sign-in failed - Password reset required. | Alert Possibly to alert helpdesk |
910 | error | Protected application authentication failed. | Repeated failures should be alerted upon |
913 | error | Additional authentication failed. | Repeated failures should be alerted upon |
932 | error | Additional authentication failed - User account disabled. | Alert Possibly to alert helpdesk |
933 | error | Password authentication succeeded - Client does not support required additional authentication methods - Access denied. | Alert Possibly to alert helpdesk |
935 | error | Unsuccessful password authentication – Access denied. | Repeated failures should be alerted upon |
940 | error | Password authentication succeeded - User prohibited by policy settings - Access denied. | Repeated failures should be alerted upon |
941 | error | Password authentication succeeded - Access prohibited by conditional policy settings - Access denied. | Repeated failures should be alerted upon |
3013 | error | RSA MFA Agent for Microsoft Windows configuration not approved. | Alert Possibly to alert helpdesk |
3015 | error | RSA MFA Agent for Microsoft Windows unsuccessful configuration. | Alert Possibly to alert helpdesk |
20403 | error | SAML IdP - Error response sent. If Authentication Details includes "Message was rejected due to issue instant expiration" or "Message was rejected because was issued in the future," then there might be a time-synchronization issue between the service provider and the Cloud Authentication Service. If you see this message during an additional authentication flow for an SSO Agent application, check the time on the identity router. | Alert |
20601 | error | RADIUS - LDAP authentication succeeded - Policy contains no RADIUS-compatible methods for additional authentication - Access denied. | Alert |
20605 | error | RADIUS - Cloud Authentication Service unreachable - Access denied. | Repeated failures - alert – Cloud service down? |
20615 | notice | RADIUS – Authentication failed. | Repeated failures should be alerted upon |
20701 | error | Access denied – User not a member of any identity source in access policy. | Repeated failures should be alerted upon |
20702 | error | Access denied – User does not match any rule sets or matches a deny rule set in access policy. | Repeated failures should be alerted upon |
20703 | error | Access denied – Policy authentication conditions deny access. | Repeated failures should be alerted upon |
20802 | error | SMS Tokencode message transmission attempt failed - Invalid phone number. | Alert Possibly to alert helpdesk |
20852 | error | Voice Tokencode call attempt failed - Invalid phone number. | Alert Possibly to alert helpdesk |
21903 | error | SMS Tokencode authentication method locked – User exceeded maximum tokencodes allowed. | Alert Possibly to alert helpdesk |
21953 | error | Voice Tokencode authentication method locked - User exceeded maximum tokencodes allowed. | Alert Possibly to alert helpdesk |
25001 | notice | Evaluated identity confidence. See Condition Attributes for Access Policies - Reporting a User's Identity Confidence Score for details. | SEE BELOW. When the “Confidence” attribute is greater than the “Confidence Threshold” the risk is low, therefore do nothing. When the “Confidence” attribute is lower than the “Confidence Threshold” the risk is high and therefore alert. |
26004 | error | Emergency Tokencode locked - User previously exceeded maximum attempts. | Alert Possibly to alert helpdesk |
26005 | error | Emergency Tokencode now locked. | Alert Possibly to alert helpdesk |
Evaluated Identity Confidence Event (Risk Engine)
As you can see from the log sample below, the parser must be configured to conditionally evaluate the value of the confidence attribute against the confidenceThreshold value. If confidence is lower than confidenceThreshold the risk is considered high and therefore an alert should be generated containing the named user identifier.
Identity Router Events
Please consult the full list of events emanating from the Identity Router here: https://community.rsa.com/docs/DOC-54120
User Audit Events | Description | Suggested Action |
User Audit Events contain no security or health events | ||
Web Services Audit Events | Description | Suggested Action |
Web Service Audit Events contain no security or health events | ||
System Audit Events | Description | Suggested Action |
SYSTEM_ERROR | An error occurred on the identity router. | Alert |
SYSTEM_REBOOT | The identity router rebooted. | Alert |
IDR Status Events | Description | Suggested Action |
RSA recommends that all IDR system health events be monitored. Consult the full list of events here, under the “Identity Router Status Events” table: | ||
RADIUS Audit Events | Description | Suggested Action |
RADIUS_CHALLENGE_METHODS_NOT_SUPPORTED | A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy. | Alert – triage to IT or helpdesk |
RADIUS_USER_DEVICE_NOT_REGISTERED | A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user. | Alert – possibly helpdesk |
RADIUS_INTERNAL_ERROR | The RADIUS service encountered an error. | Alert |