× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Integrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk

Integrating Centrify Server Suite with SIEM Tools – Part 2, integration with Splunk

By Centrify Contributor I ‎07-08-2016 10:44 AM

In the previous post on Integrating Centrify Server Suite with SIEM tools, we covered that Centrify Server Suite (CSS) is an agent-based solution for unified identity management across Windows, Linux and UNIX systems. The CSS agent can track over 300 different types of events in real-time on 450+ flavors of Windows, Linux and UNIX machines.

 

In this post, we cover how to integrate the Centrify events into your existing Splunk deployment.  

 

Getting Started

First, how do I get Centrify events into Splunk? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Install Splunk Forwarder to centrally consolidate and index all Centrify events on machines with Centrify Agent running.  To easily configure the location of the Centrify events use the Centrify Splunk Add-On, follow the installation guide for instructions on how to install the Centrify Add-on.

 

Check if events are forwarded, by clicking on Data Summary as shown below on the Splunk Web interface.

Screen Shot 2016-07-07 at 12.34.18 PM.png

 

View Centrify events by searching for “Audit_Trail”, you should see all the Centrify events.

Screen Shot 2016-07-07 at 12.35.31 PM.jpg

 

Normalizing events

Install the Centrify Splunk Add-on on the Splunk Server to normalize Centrify events, follow the instructions in the installation guide. Once the events are centrally collected and indexed within splunk, you can find the relevant events via the splunk search interface. To enable finding Centrify events and Centrify fields easily, we have created 18 event types within Splunk and custom parsed all the Centrify fields into Splunk.

 

Find below a list of all the categorized events, we’ve mapped all the event categories listed in the Centrify Server Suite events document here. 

Centrify Event Category

Splunk Event Type

DirectAudit System Management

centrify_directaudit_system_management

Audit Manager

centrify_audit_manager

Audit Analyzer

centrify_audit_analyzer

DirectAuthorize - Windows

centrify_directauthorize_windows

DirectAudit ­ Windows

centrify_directaudit_windows

Centrify Configuration

centrify_configuration

DirectControl UNIX Agent

centrify_directcontrol_unix_agent

DirectAudit UNIX Agent

centrify_directaudit_unix_agent

Centrify Commands

centrify_commands

Trusted Path

centrify_trusted_path

PAM

centrify_pam

dzdo

centrify_dzdo

dzsh

centrify_dzsh

dzinfo

centrify_dzinfo

command

centrify_command

Local Account Management

centrify_local_account_management

Centrify sshd

centrify_sshd

MFA

centrify_mfa

 

After Installing the Centrify Add-on, you would see “Centrify Add-on for Splunk” enabled in your Apps as shown below.

Screen Shot 2016-07-07 at 12.48.30 PM.png

Leveraging Splunk’s Common Information Model  

Splunk’s CIM enables tagging of common events from different vendors or source types, by enabling this Splunk unifies events from data domain of interest across the enterprise. Splunk has defined around 23 data models today and is rapidly growing. We’ve taken over a dozen events and mapped to Splunk’s Authentication data model.    

 

Shown below, how to find events that are mapped into the authentication data model.

2.jpg

 

To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to Splunk and normalize the Centrify data leveraging our Splunk Add-on, easily.

 

In my next post I’ll demonstrate how one could leverage these events in your IBM QRadar Deployment. Meanwhile, you can try Splunk integration today with a free trial of Centrify Server Suite Standard Edition. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.

 

Links

Centrify Splunk Installation guide

Centrify Splunk Add-on Binary

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel