Integrating Centrify Server Suite with SIEM Tools – Part 3, integration with IBM QRadar

Integrating Centrify Server Suite with SIEM Tools – Part 3, integration with IBM QRadar

By Centrify Contributor II ‎08-15-2016 04:41 PM

This is a follow on to my previous posts on integrating Centrify Server Suite events into SIEM tools & integrating Centrify Server Suite events into Splunk. In this post, we cover how to  integrate these events into your existing IBM QRadar deployment. 

 

Getting Started

First, how do I get Centrify events into IBM QRadar? Centrify events are available locally in standard logs either in *Nix syslogs or Windows event logs. Follow IBM QRadar's documentation to forward data into QRadar from Windows & *Nix machines.

 

Shown below, a Windows and Linux collector configured for deployment within QRadar.  Follow the Centrify QRadar Installation guide to configure the collectors.  

300.jpg

 

Normalising events

Install the Centrify log extension in QRadar to normalize Centrify events, follow again the instructions in the Centrify QRadar Installation guide. Once the events are centrally collected and indexed, you can find all the Centrify events by searching for "centrifyEventID" in the quick filter as shown below.

100.jpg

 

Categorizing events

We've taken over a dozen centrify events and categorised them into the QRadar's authentication category. This will enable any Security Analyst to easily correlate Authentication events from accross vendors within your enterprise. Find below a search query for Centrify events in the Authentication category.

200.jpg

Below are the various categories of events.

Event Name

QRadar Category Name

Parent

Console login success

Host Login Succeeded

Authentication

Console login failure

Host Login Failed

Authentication

Remote login success

Remote Access Login Succeeded

Authentication

Remote login failure

Remote Access Login Failed

Authentication

Console logon failure

Host Login Failed

Authentication

Remote login failure

Remote Access Login Failed

Authentication

login success

Host Login Succeeded

Authentication

The user login to the system successfully

Host Login Succeeded

Authentication

PAM authentication granted

System Security Access Granted

Authentication

PAM authentication denied

System Security Access Removed

Authentication

PAM open session granted

System Security Access Granted

Authentication

PAM open session denied

System Security Access Removed

Authentication

SSHD granted

System Security Access Granted

Authentication

SSHD denied

System Security Access Failed

Authentication

MFA challenge succeeded

General Authentication Successful

Authentication

MFA challenge failed

General Authentication Failed

Authentication

MFA challenge succeeded

General Authentication Successful

Authentication

MFA challenge failed

General Authentication Failed

Authentication

To summarize, CSS Standard edition captures all logon and privilege activity on any machines that have a CSS agent running – the event is stored in CEF format in Syslog on Linux/ UNIX machines and is stored in Event logs on Windows machines. You can now ingest Centrify events to IBM QRadar and normalize the Centrify events leveraging our log extension, easily.

 

In my next post I’ll demonstrate how one could leverage these events in your HP ArcSight Deployment. Meanwhile, you can try these integrations today with a free trial of Centrify Server Suite Standard Edition. If you are already a Centrify customer and want to learn more, please contact your Centrify account team.

 

 

Links

Centrify QRadar Installation guide

Centrify QRadar Extension

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel