PhenixID

Understanding how to use and parse audit logs from multi-tenant PhenixID environments in SIEM

Summary

This document will inform you about how to approach multi-tenant auditing of PhenixID products to make sure the target SIEM system is able to normalize the data per tenant in order to provide reports etc on a per-customer basis.

Details on how to configure the SIEM system and set up the normalization rules is out of scope.

System requirements

PhenixID product(s) audit and event logs must be sent to the SIEM system. Please consult each product guide on how to configure log4j to send audit and event logs to the target source.

Products

PhenixID Authentication Services / Password Self Service / Signing Services / MFA

  • The product configuration must include a customer specific parameter (customerID / tenantID). This parameter (phenixIDIdentifier) will be written to the audit log entry.
  • The SIEM normalization tool is now able to act on the phenixIDIdentifier value to categorize the data per customer.

Example

This is an example event from PAS:

feb 12 2016 12:38:46.869 NODEBIS8342 CEF:0|PhenixID|PAS|3.2.0|EVT_004000|Successfully authenticated with Swedish BankID|2|duser=191212121212 phenixIDIdentifier=CustomerX

PhenixID Identity Manager

  • Information about audit logging in PIM can be found here.
  • Auditing data includes who (the logged-in user) performed the change on what (the object such as a user or a group) and when.
  • To categorize an entry based on the customer, the SIEM normalization tool must parse parts of the LDAP DN string and map it to a particular customer.

Example

This is an example event from PIM:

2020-10-13T09:24:53+02:00 WIN-IM3RU1DV7HA CEF:0|PhenixID|IM|5.4.3-SNAPSHOT|AUDIT_001|UPDATE|1|attr=title dn=CN\=Håkan<space>Södergren,OU\=CustomerX,DC\=phenixid2019,DC\=local operation=REPLACE suser=CN\=Tommy<space>Mörth,OU\=CustomerX,DC\=phenixid2019,DC\=local value=Forward

Where suser is the logged-in user and dn is the updated object.

 

PhenixID Identity Provisioning

  • Information about audit logging in PIP can be found here.
  • Auditing data includes information about the change on what (the object such as a user or a group) and when.
  • To categorize an entry based on the customer, the SIEM normalization tool must parse parts of the data (such as a DN or an email address, based on which type of object is edited) and map it to a specific customer.

Example

This is an example event from PIP:

2012-12-04 13:15:00,553: INFO: plugins.v3.DeleteObjectInLDAP Object “CN=astrom,OU=CustomerX,OU=Users,DC=Company,DC=local” was deleted in directory Microsoft ADLDS

where the object is an LDAP user.

 

This is another example event from PIP:

2020-10-11 23:48:21,476: INFO: se.phenixid.action.users.GoogleAppsUpdateUser Updated the Google user account: “1234345345345345345” (johan.johansson@customerX.se). Attributes [givenname = Johan][orgunitpath = /Inactive]

where the object is a Google user account.

 

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se