Collect SecureAuth Identity Platform logs

Supported in:

This document explains how to ingest SecureAuth Identity Platform logs to Google Security Operations by using Bindplane. The parser extracts fields from various log formats (SYSLOG, XML, key-value pairs) using grok and xml filters. Then, it maps the extracted fields to the corresponding UDM (Unified Data Model) attributes, enriching the data with security event context and standardizing the output for further analysis.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to SecureAuth.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        udplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:514"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: SECUREAUTH_SSO
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - udplog
                exporters:
                    - chronicle/chronicle_w_labels
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure SecureAuth Identity Platform

  1. Sign in to the SecureAuth Identity console.
  2. Select Logs.
  3. Provide the following configuration details in the Log options section:
    • Log instance ID: enter the log instance ID, the Application Name or the realm name; for example, SecureAuth1.
    • Audit logs: select the Syslog checkbox.
    • Error logs: select the Syslog checkbox.
    • Syslog Server: enter the IP Address of your Bindplane agent.
    • Syslog Port: enter the Bindplane agent port number; for example, 514.
    • Syslog RFC spec: select RFC 5424.
  4. Click Save.

UDM Mapping Table

Log field UDM mapping Logic
action_msg read_only_udm.target.process.command_line Value of action_msg field
Appliance read_only_udm.principal.domain.name Value of Appliance field
Appliance read_only_udm.target.administrative_domain Value of Appliance field
BrowserSession read_only_udm.network.session_id Value of BrowserSession field
cat read_only_udm.metadata.product_event_type Value of cat field
Category read_only_udm.metadata.product_event_type Value of Category field
cn1 security_result.severity Mapped based on the value of cn1 when cn1Label is 'Priority': 1 - HIGH, 2 - MEDIUM, 3 or 4 - LOW
Company read_only_udm.additional.fields.value.string_value Value of Company field
cs1 read_only_udm.network.session_id Value of cs1 field when cs1Label is 'BrowserSession'
cs3 read_only_udm.additional.fields.value.string_value Value of cs3 field when cs3Label is 'CompanyName'
dst read_only_udm.target.ip Value of dst field
domain read_only_udm.principal.domain.name Value of domain field
dvc read_only_udm.intermediary.ip Value of dvc field
EventID read_only_udm.metadata.product_log_id Value of EventID field
HostName read_only_udm.principal.hostname Value of HostName field when grok fails to match IP address
HostName read_only_udm.principal.ip Value of HostName field when grok matches IP address
ip read_only_udm.principal.ip Value of ip field
Message read_only_udm.metadata.description Value of Message field
Message security_result.description Value of Message field
nat_ip read_only_udm.principal.nat_ip Value of nat_ip field
Priority security_result.severity Mapped based on the value of Priority: 1 - HIGH, 2 - MEDIUM, 3 or 4 - LOW
SAMLConsumerURL read_only_udm.target.url Value of SAMLConsumerURL field
sec_msg security_result.description Value of sec_msg field
SecureAuthIdPAppliance read_only_udm.target.administrative_domain Value of SecureAuthIdPAppliance field
SecureAuthIdPApplianceMachineName read_only_udm.target.hostname Value of SecureAuthIdPApplianceMachineName field
SecureAuthIdPDestinationSiteUrl read_only_udm.target.url Value of SecureAuthIdPDestinationSiteUrl field
SecureAuthIdPProductType read_only_udm.additional.fields.value.string_value Value of SecureAuthIdPProductType field
session read_only_udm.network.session_id Value of session field
spid read_only_udm.target.process.pid Value of spid field
src read_only_udm.principal.ip Value of src field
suser read_only_udm.target.user.userid Value of suser field
UserAgent read_only_udm.network.http.user_agent Value of UserAgent field
UserHostAddress read_only_udm.principal.nat_ip Value of UserHostAddress field
UserHostAddress read_only_udm.target.ip Value of UserHostAddress field
UserID read_only_udm.principal.user.userid Value of UserID field
Version read_only_udm.metadata.product_version Value of Version field
read_only_udm.additional.fields.key Hardcoded value - 'CompanyName'
read_only_udm.additional.fields.key Hardcoded value - 'Company'
read_only_udm.additional.fields.key Hardcoded value - 'SecureAuthIdPProductType'
read_only_udm.extensions.auth.type Hardcoded value - 'SSO'
read_only_udm.metadata.event_type 'USER_LOGIN' if SecureAuthIdPAuthGuiMode == 0 and auth_result == Success, 'USER_CHANGE_PERMISSIONS' if SecureAuthIdPAuthGuiMode == 0 and auth_result ==WS-Trust success., 'USER_LOGOUT' if SecureAuthIdPAuthGuiMode == 0 and auth_result == Session Aborted, 'NETWORK_CONNECTION' if UserHostAddress != and `HostName` !=, 'STATUS_UPDATE' if ip != or `HostName` !=, 'USER_UNCATEGORIZED' if UserHostAddress != and `HostName` == and UserID != ``, otherwise - 'GENERIC_EVENT'
read_only_udm.metadata.log_type Hardcoded value - 'SECUREAUTH_SSO'
read_only_udm.metadata.product_name Hardcoded value - 'SECUREAUTH_SSO'
read_only_udm.metadata.vendor_name Hardcoded value - 'SECUREAUTH_SSO'
read_only_udm.target.user.email_addresses Value of user_email field when not_email is false
security_result.severity 'HIGH' if cn1Label == Priority and cn1 == 1, 'MEDIUM' if cn1Label == Priority and cn1 == 2, 'LOW' if cn1Label == Priority and cn1 in [3, 4], 'HIGH' if Priority == 1, 'MEDIUM' if Priority == 2, 'LOW' if Priority in [3, 4]

Changes

2023-07-09

  • Added support for a new log format: SYSLOG + KV.
  • Added a Grok pattern to parse the new logs.

2022-04-25

  • Newly created parser: Updated and converted customer-specific version to default.

Need more help? Get answers from Community members and Google SecOps professionals.