PRODUCT FACT SHEET Adding ObserveIT video audit logs to your SIEM At a Glance Adding ObserveIT s user activity video logs and user activity text logs to your SIEM or Log Analysis platform gives you all the details of exactly what users are doing on your network, right from within the platform that you count on for security oversight and compliance reporting. Imagine this: SIEM dashboard alerts you to a potential security incident. But now, instead of investigating by drilling down into system logs, you can instead just click on the Play the icon, which shows exactly what the user did! ObserveIT s open architecture allows for a straightforward integration with any log analysis tool. This document shows this open architecture, and also provides a look at specific integrations with Splunk, Arcsight, RSA envision and CA UARM. What it looks like Splunk with user activity logs Event details are dashboarded across a standard Splunk timeline, with event listings showing exactly what applications, URLs, files and system calls the user touched. A video replay icon is available for each specific user action, allowing you to launch the video replay exactly at the moment in time that the user did that action. User Activity shown on a timeline Detailed text logs of user actions Click icon to launch video replay ObserveIT Text logs and replay from within Splunk
PRODUCT FACT SHEET 2 Arcsight with user activity logs The Arcsight Console shows detailed listings of every user action, including apps run, files touched, window titles and more. Rightclick on any event to watch the video replay. Detailed text logs of user actions Context menu integration for video ObserveIT text logs in Arcsight replay of user actions, within the Arcsight console ObserveIT video replay within Arcsight console
PRODUCT FACT SHEET 3 CA UARM with user activity logs ObserveIT s video and text logs has been integrated tightly with CA s Access Control platform, with ties into many CA products. With the UARM product, CA full dashboarding integration provides text log details, breakdown pie charts, and of course video replay at the click of the icon, launched right at the time of interest. The CA integration is available directly from CA as a CA line-item product. List of every app run Timeline view Breakdown by users and servers Detailed action listing Click Play the video! icon to view ObserveIT Text logs and replay from within CA Technologies UARM platform RSA envision with user activity logs All ObserveIT text logs are viewable within envision, including filtering and search based on detailed metadata capture. Each log can afterwards be tied to a video replay. For more information on the RSA integration, get the integration document on the RSA site: https://gallery.emc.com/docs/doc-2548 Metadata filtering Event listing Audit log details within envision, filtered according to detailed metadata
PRODUCT FACT SHEET 4 Integration Architecture Integration typically involves two main factors: Metadata integration (the textual activity logs) and Replay integration. Metadata Integration Use your Data Collector mechanism for importing log data. ObserveIT s user activity metadata logs can be accessed in one of two ways: either via direct SQL access or via real-time log file polling. Each of these methods use direct access to the data source, without the need to go via a web service or API-call layer. SQL Integration SIEM / Log Mgmt Application Field Mapper Poller SQL Query (Direct access, no AppServer interaction) Poll every x seconds Query Results (including the URL of the video for replay) OIT Metadata Log SQL Server data collector schematic A sample SQL query for polling data would be as follows: USE ObserveIT; SELECT ScreenshotTime, MachineName AS ServerName, LoginName, DomainName, ApplicationName, WindowTitle, UserName, ClientName, ClientAddress, SessionID, ScreenshotID, ApplicationServerName, 'WindowTitle' EventType FROM dbo.sessionwindowtitleinstances INNER JOIN ServerInvatory on ServerInvatory.SrvID=SessionWindowTitleInstances.SrvID WHERE ScreenshotTime > '%TRACKING%' Log File Integration SIEM / Log Mgmt Application Poller Log file polling (Direct access, no AppServer interaction) Poll every x seconds OIT AppServer Real-time Metadata Log File Field Mapper Log file polling results Latest deltas Figure 1 -Real-time log file polling data collector schematic The resulting log files will appear as follows: Sample Windows Log "FirstScreenshotTime","SessionId","ClientName","ServerName","DomainName","LoginName","UserName","ApplicationName","WindowTitle" 2011-08-11T07:07:20,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,ObserveIT,ObserveIT - Login (5.3.0.0) 2011-08-11T07:07:22,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,ObserveIT,ObserveIT Message - User Activity Auditing 2011-08-11T07:10:31,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,Windows Explorer,Program Manager 2011-08-11T07:10:41,afd3fe2b-2243-4ccb-b4fe-b2ba39cdda08,OIT-BRAD,OITHostedDemo-S,OITHostedDemo-S,Administrator,brad,SSMS - SQL Server Management Studio,Connect to Server Sample UNIX / Linux Log "OperationDate","SessionId","ClientName","ServerName","DomainName","LoginName","UserName","CommandParam" 2011-08-11T08:57:29,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/bin/grep -q /usr/kerberos/bin 2011-08-11T08:57:30,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/bin/grep -q /usr/kerberos/sbin 2011-08-11T08:57:31,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/usr/bin/id -u 2011-08-11T08:57:33,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/sbin/consoletype stdout 2011-08-11T08:57:35,d2526b82-8d37-4c35-b74e-26242a0f73e5,10.1.100.5,c56-32-3,observeit.com,dima,n/a,/usr/bin/id -u
PRODUCT FACT SHEET 5 Replay Integration Unlike the metadata log, the video replay data is typically maintained within the ObserveIT environment, due to custom playback functionality and also due to the data size that isn t desired to be added continuously to the SIEM. OIT Web Console Custom App HTTP Port 4884 Player HTML Wrapper Single sign-on: Custom app uses uid/pwd of OIT web console Passwords are not transferred: Token-based authentication with TTL limits Replay Integration schematic The video replay is available as a single HTTP target even if the ObserveIT database is federated across multiple local installations. The custom application does not need to be aware of actual video storage location. Custom App OIT Centralized Web Console Config data for centralized console HTTP Port 4884 Single URL for on-the-fly video replay Player HTML Wrapper Config data for each local OIT deployment Single sign-on: Custom app uses uid/pwd of centralized OIT console Passwords are not transferred: Token-based authentication with TTL limits Same SSO / pwd / token / TTL process for communication with each local install OIT Local Install 1 OIT Local Install 2 OIT Local Install 3 Replay Integration with Federated datbases