Stream application logs to FireEye TAP using rSyslog File Monitoring

Introduction to FireEye TAP

The FireEye Threat Analytics Platform is a cloud-based solution that enables security teams to identify and effectively respond to cyber threats by layering enterprise-generated event data with real-time threat intelligence from FireEye. The platform increases the overall visibility into the threat landscape by leveraging the FireEye Threat Prevention Platforms’ rich insights into threat actor profiles and behavior. More details can be found here:

FireEye Threat Analytics Platform

Use Cases

Addressing a business need is the concept of “Identity Explorer”, using which administrators and case analysts can review the identity related incidents from the enterprise. The ForgeRock-FireEye TAP based solution will help heighten the sense of security, especially one related to BYOD, such as new mobile device registrations.

 

A sample case for detecting fraudulent device registrations is documented here. This is a typical use case wherein a user registers a new device or logs in with the new device from an unknown location. This is deemed a fraudulent login. The key to correctly detecting fraud in this case is knowing that the new location is not one the user would normally login from.

Sample rSyslog Configuration

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

$InputFileName /home/ec2-user/openam12/openam/debug/Authentication
$InputFileTag debugAuth:
$InputFileStateFile stat-debugAuth12-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

$InputFileName /home/ec2-user/openam12/openam/log/amSSO.access
$InputFileTag amSSO:
$InputFileStateFile stat-amSSO12-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

$InputFileName /opt/demo/tomcat7b/bin/access.log
$InputFileTag tomcat7baccess:
$InputFileStateFile stat-tomcat7baccess12-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Add a tag for file events
$template TAPFormatFile,"<%pri%>%protocol-version% %app-name% %procid% %msgid% %msg%n"

# Send to TAP then discard
if $programname == 'debugAuth' then @@127.0.0.1:516;TAPFormatFile
if $programname == 'amSSO' then @@127.0.0.1:516;TAPFormatFile
if $programname == 'tomcat7baccess' then @@127.0.0.1:516;TAPFormatFile

OpenAM Debug Logging

Enable debug logging for Category: Authentication in /openam/Debug.jsp

FireEye Communications Broker Setup

You would setup a proprietary software on your unix server that listens on TCP:516 and routes incoming data to the FireEye TAP servers.

Viewing Parsed Log Messages in TAP

Search for class:forgerock (this would be the name of your integration as agreed upon with FireEye), and for program:amauth. Other examples are program:amsso and program:ampolicy.

If parsing is working correctly, the TAP administration would see messages corresponding to the program name show up. In this screen shot the client’s IP is hidden. The next step is to create ALERTS that key off on certain field values parsed out of the logs.

Here is a sample alert for a user logging on from an unknown location:

 

The following screenshot shows a list of locations the user, User.120 has signed on from over the past month.

 

The logins from Tokyo, Frankfurt and Singapore could be deemed anomalous, and corresponding logs added to a new incident to investigate this behavior.

Here is the device information shown in TAP:

Here I show how logs from TAP can be added to a previously created, or new incident.

The analyst assigned to service the alert, and incident would need to login to TAP and investigate using session parameters such as timestamp, device name, OpenAM server name and possibly create a request to revoke or temporarily disable access for User.120 in OpenAM.