2 February,21 at 05:33 PM
This is a follow on to my previous posts on integrating Centrify Server Suite events into SIEM tools & integrating Centrify Server Suite events into Splunk. In this post, we cover how to integrate these events into your existing IBM QRadar deployment.
Getting Started
First, how do I get Centrify events into IBM QRadar? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Follow IBM QRadar's documentation to forward data into QRadar from Windows & *Nix machines.
Shown below, a Windows and Linux collector configured for deployment within QRadar. Follow the Centrify QRadar Installation guide to configure the collectors.
Normalising events
Install the Centrify log extension in QRadar to normalize Centrify events, follow again the instructions in the Centrify QRadar Installation guide. Once the events are centrally collected and indexed, you can find all the Centrify events by searching for "centrifyEventID" in the quick filter as shown below.
Categorizing events
We've taken over a dozen centrify events and categorised them into the QRadar's authentication category. This will enable any Security Analyst to easily correlate Authentication events from accross vendors within your enterprise. Find below a search query for Centrify events in the Authentication category.
Below are the various categories of events.
|
Event Name |
QRadar Category Name |
Parent |
|
Console login success |
Host Login Succeeded |
Authentication |
|
Console login failure |
Host Login Failed |
Authentication |
|
Remote login success |
Remote Access Login Succeeded |
Authentication |
|
Remote login failure |
Remote Access Login Failed |
Authentication |
|
Console logon failure |
Host Login Failed |
Authentication |
|
Remote login failure |
Remote Access Login Failed |
Authentication |
|
login success |
Host Login Succeeded |
Authentication |
|
The user login to the system successfully |
Host Login Succeeded |
Authentication |
|
PAM authentication granted |
System Security Access Granted |
Authentication |
|
PAM authentication denied |
System Security Access Removed |
Authentication |
|
PAM open session granted |
System Security Access Granted |
Authentication |
|
PAM open session denied |
System Security Access Removed |
Authentication |
|
SSHD granted |
System Security Access Granted |
Authentication |
|
SSHD denied |
System Security Access Failed |
Authentication |
|
MFA challenge succeeded |
General Authentication Successful |
Authentication |
|
MFA challenge failed |
General Authentication Failed |
Authentication |
|
MFA challenge succeeded |
General Authentication Successful |
Authentication |
|
MFA challenge failed |
General Authentication Failed |
Authentication |
To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to IBM QRadar and normalize the Centrify events leveraging our log extension, easily.
In my next post I’ll demonstrate how one could leverage these events in your HP ArcSight Deployment. Meanwhile, you can try these integrations today with a free trial of Centrify Server Suite Standard Edition. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.
Links
Centrify Agent for Windows™ Deployment Options - Introduction
How Centrify Extends Audit Trail Events
Integrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk
Integrating Centrify Server Suite with SIEM Tools – Part 4, integration with HP ArcSight
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III
Centrify 18.3 Release Notes
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS