Adding ObserveIT video audit logs to your SIEM



Similar documents
ObserveIT Technology Overview

ObserveIT Technology Overview

HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS

How To Use A Logbook For A Business

You don t know what you don t know!

HOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES

Record and Replay All Windows and Unix User Sessions Like a security camera on your servers

ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing.

USER ACTIVITY MONITORING FOR IBM SECURITY PRIVILEGED IDENTITY MANAGER

Edit system files. Delete file. ObserveIT Highlights. Change OS settings. Change password. See exactly what users are doing!

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

ObserveIT Ticketing Integration Guide

Use Enterprise SSO as the Credential Server for Protected Sites

OBSERVEIT 6.0 WHAT S NEW

InspecTView Highlights

administrator are Console Users that can log on to the Web Management console and

Configure Single Sign on Between Domino and WPS

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Configuring EPM System for SAML2-based Federation Services SSO

ObserveIT Service Desk Integration Guide

OBSERVEIT TECHNICAL INFORMATION FOR SALES TEAM. Created by Alex Ellis Pre-Sales Engineer - 2/26/14

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.2 Web Applications Deployed on BEA WebLogic Server 9.2

JusticeConnect AVL for Windows SETUP GUIDE

How to Configure Active Directory based User Authentication

OBSERVEIT DEPLOYMENT SIZING GUIDE

NT Authentication Configuration Guide

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on Oracle WebLogic Server

Two new DB2 Web Query options expand Microsoft integration As printed in the September 2009 edition of the IBM Systems Magazine

Getting Started with Clearlogin A Guide for Administrators V1.01

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx


This manual will illustrate how to integrate your WordPress Blog or website with the Docebo Learning Management System.

FortyCloud Installation Guide. Installing FortyCloud Gateways Using AMIs (AWS Billing)

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

MultiSite Manager. User Guide

Qlik Sense Enabling the New Enterprise

Onegini Token server / Web API Platform

The increasing popularity of mobile devices is rapidly changing how and where we

Quick Start Guide. Installation and Setup

Netwrix Auditor for SQL Server

Siteminder Integration Guide

SyAM Software Management Utilities. Performing a Power Audit

FMCS SINGLE SIGN ON Overview and Installation Guide. November SSO-MNL-v3.0

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Netwrix Auditor for Active Directory

ISO COMPLIANCE WITH OBSERVEIT

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

SourceAnywhere Service Configurator can be launched from Start -> All Programs -> Dynamsoft SourceAnywhere Server.

Setting Up Resources in VMware Identity Manager

RTI Quick Start Guide for JBoss Operations Network Users

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Managing Qualys Scanners

What s New in Centrify DirectAudit 2.0

Netwrix Auditor. Administrator's Guide. Version: /30/2015

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Configuring the Samsung SDS CellWe EMM cloud connector

OneLogin Integration User Guide

There is a separate guide for students, available from Moodle at Student Resources > General Resources > Using Moodle for Students

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Secret Server Qualys Integration Guide

Creating Basic Custom Monitoring Dashboards Antonio Mangiacotti, Stefania Oliverio & Randy Allen

Advanced Configuration Administration Guide

Copyright Pivotal Software Inc, of 10

Application Note VAST Network settings

AppWall SIEM Integration Guide

Dynamic DNS How-To Guide

FTP, IIS, and Firewall Reference and Troubleshooting

How to Define SIEM Strategy, Management and Success in the Enterprise

RSA Security Analytics

Reference and Troubleshooting: FTP, IIS, and Firewall Information

RSA Security Analytics

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

How to Create Dashboards. Published

Sisense. Product Highlights.

User Management Tool 1.5

WebEOC Product Suite Comparison

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Data Sheet: Work Examiner Professional and Standard

Savvius Insight Initial Configuration

Dashboard Admin Guide

SPHOL325: SharePoint Server 2013 Search Connectors and Using BCS

How To Manage Active Directory With Splunk

Welcome to the delta topic on adding actions to dashboards in SAP Business One, release 9.1 version for SAP HANA.

Deploying RSA ClearTrust with the FirePass controller

HP OO 10.X - SiteScope Monitoring Templates

nexus Hybrid Access Gateway

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

Integrating EJBCA and OpenSSO

Using the Educator Dashboard

Securing SAS Web Applications with SiteMinder

RSA SecurID Token User Guide February 12, 2015

Netwrix Auditor for Windows Server

Using ELMS with TurningPoint Cloud

Novell Identity Manager

Upgrading Redwood Engine Software. Version 2.0.x to 3.1.0

SonicWALL SSL VPN 3.0 HTTP(S) Reverse Proxy Support

AVG Business Secure Sign On Active Directory Quick Start Guide

Transcription:

PRODUCT FACT SHEET Adding ObserveIT video audit logs to your SIEM At a Glance Adding ObserveIT s user activity video logs and user activity text logs to your SIEM or Log Analysis platform gives you all the details of exactly what users are doing on your network, right from within the platform that you count on for security oversight and compliance reporting. Imagine this: SIEM dashboard alerts you to a potential security incident. But now, instead of investigating by drilling down into system logs, you can instead just click on the Play the icon, which shows exactly what the user did! ObserveIT s open architecture allows for a straightforward integration with any log analysis tool. This document shows this open architecture, and also provides a look at specific integrations with Splunk, Arcsight, RSA envision and CA UARM. What it looks like Splunk with user activity logs Event details are dashboarded across a standard Splunk timeline, with event listings showing exactly what applications, URLs, files and system calls the user touched. A video replay icon is available for each specific user action, allowing you to launch the video replay exactly at the moment in time that the user did that action. User Activity shown on a timeline Detailed text logs of user actions Click icon to launch video replay ObserveIT Text logs and replay from within Splunk

PRODUCT FACT SHEET 2 Arcsight with user activity logs The Arcsight Console shows detailed listings of every user action, including apps run, files touched, window titles and more. Rightclick on any event to watch the video replay. Detailed text logs of user actions Context menu integration for video ObserveIT text logs in Arcsight replay of user actions, within the Arcsight console ObserveIT video replay within Arcsight console

PRODUCT FACT SHEET 3 CA UARM with user activity logs ObserveIT s video and text logs has been integrated tightly with CA s Access Control platform, with ties into many CA products. With the UARM product, CA full dashboarding integration provides text log details, breakdown pie charts, and of course video replay at the click of the icon, launched right at the time of interest. The CA integration is available directly from CA as a CA line-item product. List of every app run Timeline view Breakdown by users and servers Detailed action listing Click Play the video! icon to view ObserveIT Text logs and replay from within CA Technologies UARM platform RSA envision with user activity logs All ObserveIT text logs are viewable within envision, including filtering and search based on detailed metadata capture. Each log can afterwards be tied to a video replay. For more information on the RSA integration, get the integration document on the RSA site: https://gallery.emc.com/docs/doc-2548 Metadata filtering Event listing Audit log details within envision, filtered according to detailed metadata

PRODUCT FACT SHEET 4 Integration Architecture Integration typically involves two main factors: Metadata integration (the textual activity logs) and Replay integration. Metadata Integration Use your Data Collector mechanism for importing log data. ObserveIT s user activity metadata logs can be accessed in one of two ways: either via direct SQL access or via real-time log file polling. Each of these methods use direct access to the data source, without the need to go via a web service or API-call layer. SQL Integration SIEM / Log Mgmt Application Field Mapper Poller SQL Query (Direct access, no AppServer interaction) Poll every x seconds Query Results (including the URL of the video for replay) OIT Metadata Log SQL Server data collector schematic A sample SQL query for polling data would be as follows: USE ObserveIT; SELECT ScreenshotTime, MachineName AS ServerName, LoginName, DomainName, ApplicationName, WindowTitle, UserName, ClientName, ClientAddress, SessionID, ScreenshotID, ApplicationServerName, 'WindowTitle' EventType FROM dbo.sessionwindowtitleinstances INNER JOIN ServerInvatory on ServerInvatory.SrvID=SessionWindowTitleInstances.SrvID WHERE ScreenshotTime > '%TRACKING%' Log File Integration SIEM / Log Mgmt Application Poller Log file polling (Direct access, no AppServer interaction) Poll every x seconds OIT AppServer Real-time Metadata Log File Field Mapper Log file polling results Latest deltas Figure 1 -Real-time log file polling data collector schematic The resulting log files will appear as follows: Sample Windows Log "FirstScreenshotTime","SessionId","ClientName","ServerName","DomainName","LoginName","UserName","ApplicationName","WindowTitle" 2011-08-11T07:07:20,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,ObserveIT,ObserveIT - Login (5.3.0.0) 2011-08-11T07:07:22,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,ObserveIT,ObserveIT Message - User Activity Auditing 2011-08-11T07:10:31,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,Windows Explorer,Program Manager 2011-08-11T07:10:41,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,SSMS - SQL Server Management Studio,Connect to Server Sample UNIX / Linux Log "OperationDate","SessionId","ClientName","ServerName","DomainName","LoginName","UserName","CommandParam" 2011-08-11T08:57:29,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/bin/grep -q /usr/kerberos/bin 2011-08-11T08:57:30,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/bin/grep -q /usr/kerberos/sbin 2011-08-11T08:57:31,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/usr/bin/id -u 2011-08-11T08:57:33,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/sbin/consoletype stdout 2011-08-11T08:57:35,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/usr/bin/id -u

PRODUCT FACT SHEET 5 Replay Integration Unlike the metadata log, the video replay data is typically maintained within the ObserveIT environment, due to custom playback functionality and also due to the data size that isn t desired to be added continuously to the SIEM. OIT Web Console Custom App HTTP Port 4884 Player HTML Wrapper Single sign-on: Custom app uses uid/pwd of OIT web console Passwords are not transferred: Token-based authentication with TTL limits Replay Integration schematic The video replay is available as a single HTTP target even if the ObserveIT database is federated across multiple local installations. The custom application does not need to be aware of actual video storage location. Custom App OIT Centralized Web Console Config data for centralized console HTTP Port 4884 Single URL for on-the-fly video replay Player HTML Wrapper Config data for each local OIT deployment Single sign-on: Custom app uses uid/pwd of centralized OIT console Passwords are not transferred: Token-based authentication with TTL limits Same SSO / pwd / token / TTL process for communication with each local install OIT Local Install 1 OIT Local Install 2 OIT Local Install 3 Replay Integration with Federated datbases

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information