JSON SIEM Template for Privilege Secure

Privilege Secure Privilege Secure Show & Tell
,
1

Customers that would like the SIEM data sent in JSON format can use the following format as a default. This format has been tested against a variety of SIEM solutions.

  1. Create a new SIEM Template named “JSON”
  2. Fill in the Description field with the appropriate information - i.e. “Custom JSON output”
  3. Type \” for the ‘Characters to Escape’ to ensure that the output renders correctly in Rapid7 and Splunk
  4. Type \ as the ‘Escape Character’
  5. Copy and paste the following text in to the ‘Format’ field.

{“Date”: “%SYSLOG_DATE%”, “Host”: “%HOST%”, “Template”: “%TEMPLATENAME%:%TEMPLATEVERSION%”, “Company”: “%COMPANY%”, “Product”: “%PRODUCT%”, “ProductVersion”: “%PRODUCT_VERSION%”, “LogLevelStatus”: “%LOGLEVELSTATUS%”, “LogLevel”: “%LOGLEVEL%”, “EventTimeUtc”: “%EVENTTIMEUTC%”, “EventLoggedInUserName”: “%EVENTLOGGEDINUSERNAME%”, “EventLoggedInFromIPAddress”: “%EVENTLOGGEDINFROMIPADDRESS%”, “EventAccessPolicyName”: “%EVENTACCESSPOLICYNAME%”, “EventSourceHost”: “%EVENTSOURCEHOST%”, “EventServiceType”: “%EVENTSERVICETYPE%”, “EventType”: “%EVENTTYPE%”, “EventStatus”: “%EVENTSTATUS%”, “EventMessage”: “%EVENTMESSAGE%”, “ActivitySessionCreatedByUserName”: “%ACTIVITYSESSIONCREATEDBYUSERNAME%”, “ActivitySessionCreateFromAddress”: “%ACTIVITYSESSIONCREATEDFROMADDRESS%”, “ActivitySessionCreatedDateTimeUtc”: “%ACTIVITYSESSIONCREATEDDATETIMEUTC%”, “ActivitySessionLoginAccountName”: “%ACTIVITYSESSIONLOGINACCOUNTNAME%”, “ActivitySessionSattus”: “%ACTIVITYSESSIONSTATUS%”, “ActivitySessionStatusDescription”: “%ACTIVITYSESSIONSTATUSDESCRIPTION%”, “ManagedAccountName”: “%MANAGEDACCOUNTNAME%”, “ManagedAccounttype”: “%MANAGEDACCOUNTTYPE%”, “ManagedResourceName”: “%MANAGEDRESOURCENAME%”, “ManagedResourceType”: “%MANAGEDRESOURCETYPE%”, “ManagedSourceHostName”: “%MANAGEDRESOURCEHOSTNAME%”, “ManagedResourceHostDistinguishedName”: “%MANAGEDRESOURCEHOSTDISTINGUISHEDNAME%”, “ManagedResourceHostIPAddress”: “%MANAGEDRESOURCEHOSTIPADDRESS%”, “ManagedResourceHostOS”: “%MANAGEDRESOURCEHOSTOS%”, “ManagedResourceHostDNSHostName”: “%MANAGEDRESOURCEHOSTDNSHOSTNAME%”, “ManagedResourceHostNetBIOSName”: “%MANAGEDRESOURCEHOSTNETBIOSNAME%” }

The result should look similar to the following, in NPS

The image displays a user interface for a SIEM (Security Information and Event Management) template editor, showcasing a formatted JSON example for logging activity session data with designated placeholder fields. (Captioned by AI)
The image displays a user interface for a SIEM (Security Information and Event Management) template editor, showcasing a formatted JSON example for logging activity session data with designated placeholder fields. (Captioned by AI)1586×722 91.5 KB

When looking at the output, depending on the Siem solution, you can view the data in its raw format (which will show the escaped characters) or the highlighted view, which will show a nicer view of the data (notice that the escaped \ doesn’t show up in this view).

The image displays a JSON log entry detailing a successful login event for the user "DEMOdiges" from the IP address "10.80.8.58" at a specific date and time, along with other relevant metadata. (Captioned by AI)
The image displays a JSON log entry detailing a successful login event for the user "DEMOdiges" from the IP address "10.80.8.58" at a specific date and time, along with other relevant metadata. (Captioned by AI)1615×846 190 KB

7 Likes
2

This is great!

This lays the groundwork for more seamless integrations. I just posted: 💝 Official Elastic Integration?

This should be pretty straight forward for NetWrix to build :slight_smile: