11 April,19 at 11:50 AM
In our previous posts we've covered Integrating Centrify Server Suite with SIEM tools, Integrating CSS Events into Splunk & Integrating CSS events into IBM QRadar. In this post, we cover how to integrate the Centrify Server Suite events into your existing HP ArcSight deployment.
Getting Started
First, how do I get Centrify events into ArcSight? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install HP ArcSight Connectors to consolidate and index all Centrify events on machines with Centrify Agent.
Below, find the list of all the connectors on the left hand side and the status using the ArcSight Console after successfully configuring the connectors.
Normalizing events
Install Centrify Server Suite ArcSight Parser on the node with the Centrify agent to normalize Centrify events, follow the instructions in the installation guide. Once the events are collected, you can find the relevant events via the search interface on the right hand side on the picture below in the ArcSight Console.
Categorising Events
We've taken over a dozen centrify events and categorised them into the ArcSight. This will enable any Security Analyst to easily correlate Authentication events from accross vendors within your enterprise.
Shown below, events that are mapped into the authentication category.
event.externalId |
set.event.categoryObject |
set.event.categoryBehavior |
set.event.categoryDeviceGroup |
set.event.categorySignificance |
set.event.categoryOutcome |
6001 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
6003 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
9001 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
18200 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
24100 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
24500 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
27100 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
54100 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
54200 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational |
/Success |
6002 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
6004 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
6010 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
6011 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
24101 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
24501 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
27101 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
54101 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
54201 |
/Host/Application |
/Authentication/Verify |
/Application |
/Informational/Warning |
/Failure |
To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to ArcSight and normalize the Centrify data leveraging our parsers, easily.
You can try the integration with a free trial of Centrify Server Suite Standard Edition today. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.
Links