WIXLIB

Integrate RSA SecurIDEventTracker v9.x and abovePublication Date: SEP 10, 2019

Integrate RSA SecurIDAbstractThis guide provides instructions to configure/ retrieve RSA SecurID events using EventTracker Application.This will collect the logs from RSA SecurID cloud-like user activity, threat details, etc. Once EventTracker isconfigured to collect and parse these logs, dashboard and reports can be configured to monitor RSA SecurID.ScopeThe configurations detailed in this guide are consistent with EventTracker version v9.x or above and RSASecurID RSA Authentication Manager v8.x and later.AudienceAdministrators who are assigned the task to monitor RSA SecurID using EventTracker.The information contained in this document represents the current view of Netsurion. on the issuesdiscussed as of the date of publication. Because Netsurion must respond to changing marketconditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurioncannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS ORIMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, this paper may be freely distributed without permission from Netsurion, ifits content is unaltered, nothing is added to the content and credit to Netsurion is provided.Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Netsurion, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended or shouldbe inferred. 2019 Netsurion. All rights reserved. The names of actual companies and products mentionedherein may be the trademarks of their respective owners.1

Integrate RSA SecurIDTable of ContentsAbstract . 1Scope . 1Audience . 11. Overview. 32. Prerequisites . 33. Configuring RSA SecurID to send syslog to EventTracker . 34. EventTracker Knowledge Pack . 44.1 Flex Reports . 44.2 Alerts. 64.3 Saved Searches . 64.4 Dashboards . 75. Importing RSA SecurID knowledge pack into EventTracker . 155.1 Alerts. 165.2 Token Template . 175.3 Knowledge Object . 195.4 Flex Reports . 205.5 Category . 215.6 Dashboard . 226. Verifying RSA SecurID knowledge pack in EventTracker . 256.1 Alerts. 256.2 Token Template . 256.3 Knowledge Object . 266.4 Flex Reports . 276.5 Category . 282

Integrate RSA SecurID1. OverviewRSA SecurID (“SecurID”) is a two-factor authentication technology that is used to protect network resources.RSA Authentication Manager Software provides the security engine authentication requests.The EventTracker supports RSA SecurID, monitors the RSA SecurID and generates the alerts, reports,dashboards and saved searches for critical events like user authentication failure, admin login, failed loginand DOS attack detection.2. Prerequisites EventTracker v9.x or later should be installed. RSA Authentication Manager v8.x or later should be installed. The firewall exception for the syslog port (default: 514) should be enabled between device andEventTracker.3. Configuring RSA SecurID to send syslog toEventTrackerTo configure RSA Authentication Manager for syslog using Microsoft Windows:1. Log in to the system hosting your RSA Security Console.2. Open the following file for editing based on your operating system:/Program esources/ims.properties3. Edit the following entries to the ims.properties file(If they don’t exist, add them):ims.logging.audit.admin.syslog host IP address ims.logging.audit.admin.use os logger trueims.logging.audit.runtime.syslog host IP address ims.logging.audit.runtime.use os logger trueims.logging.system.syslog host IP address ims.logging.system.use os logger trueWhere IP address is the IP address or hostname of EventTracker.4. Save and close the ims.properties file.5. Restart the RSA Authentication Manager by navigating to Start- Administrator Tools - ComputerManagement - Services and Applications - services.6. Select RSA Authentication Manager. Click on Restart.3

Integrate RSA SecurID4. EventTracker Knowledge PackOnce logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.The following Knowledge Packs are available in EventTracker to support RSA SecurID.4.1 Flex Reports RSA SecurID - Admin activities – This report gives information about the administrative activity events(like PIN reset, PIN generation, principal update, etc.) that occurred on RSA authentication manager.Figure 1 RSA SecurID - User authentication activities – This report gives detailed information onauthentication user details along with the agent and policy details.Figure 24

Integrate RSA SecurID RSA SecurID - Admin login activities – This report gives detailed information on console admin loginand logout details.Figure 3 RSA SecurID - User authentication failed – This report gives detailed information on userauthentication failed with agent details.Figure 4 RSA SecurID - User account lockout details – This report gives information on user details which werelocked due to lockout policy.Figure 5 RSA SecurID - Policy details – This report gives detailed information on policy changes, new policiesadded or deleted.Figure 65

Integrate RSA SecurID RSA SecurID - Critical events-This report gives information on the most critical or important events tobe noticed which occurred in the RSA authentication manager (i.e.) DOS attack detected, thecommand executed.Figure 74.2 Alerts RSA SecurID: Account lockout - This alert is generated when the account lockout event occurs.RSA SecurID: Authentication failed - This alert is generated when the authentication failure eventoccurs.RSA SecurID: Database or directory access failure - This alert is generated when the database accessfailure event occurs.RSA SecurID: Passcode reuse - This alert is generated when the passcode reuse event occurs.RSA SecurID: PIN changed attempt failed - This alert is generated when PIN changed attempt failedevent occurs.RSA SecurID: Replication failed - This alert is generated when Port shutdown due to replication failedevent occurs.RSA SecurID: SMS passcode reuse - This alert is generated when the SMS passcode reuse eventoccurs.RSA SecurID: Administrator role modified – This alert is generated when the administrator role hasbeen added, deleted or updated event occurs.RSA SecurID: Console admin logged in – This alert is generated when the console admin logged eventoccurs.RSA SecurID: Console admin logged in – This alert is generated when the console admin login failureevent occurs.RSA SecurID: Denial of service attack detected – This alert is generated when RSA detected the DOSattack.RSA SecurID: System state change – This alert is generated when the system starts, or shutdownevent occurs.RSA SecurID: User access denied – This alert is generated when the user with insufficient permissionaccessed the resource.4.3 Saved Searches 6RSA SecurID: Admin login activities – This saved search will help you to search for administrator loginevents.RSA SecurID: All admin activities – This saved search will help you to search all administrative events.

Integrate RSA SecurID RSA SecurID: All authentication audit activities – This saved search will help you to analyze allauthentication-based runtime audit events.RSA SecurID: All system audit events – This saved search will help you to analyze all system-based auditevents.RSA SecurID: Critical system events – This saved search will help you to analyze important or criticalsystem events like command executed, attack detected, etc.RSA SecurID: Lockout user details – This saved search will help you to collect locked out user details.RSA SecurID: System state changes – This saved search will help you to analyze the system startup andshutdown events.RSA SecurID: User authentication failed – This saved search will display events specific to userauthentication failure.RSA SecurID: User authentication success – This saved search will display events specific to userauthentication success.4.4 DashboardsFigure 87

Integrate RSA SecurIDFigure 9Figure 108

Integrate RSA SecurIDFigure 11Figure 129

Integrate RSA SecurIDFigure 13Figure 1410

Integrate RSA SecurIDFigure 15Figure 1611

Integrate RSA SecurIDFigure 17Figure 1812

Integrate RSA SecurIDFigure 19Figure 2013

Integrate RSA SecurIDFigure 21Figure 2214

Integrate RSA SecurIDFigure 235. Importing RSA SecurID knowledge pack intoEventTrackerNOTE: Import knowledge pack items in the following sequence: Alerts.Knowledge Object.Token templates.Flex Reports.Categories.Dashboard.1. Launch the EventTracker Control Panel.2. Double click Export-Import Utility.15

Integrate RSA SecurIDFigure 24Figure253. Click the Import tab.5.1 Alerts1. Click Alert option, and then click the browsebutton2. Navigate to the location having a file with the extension “.isalt” and then click on the “Import” button:16

Integrate RSA SecurIDFigure 26EventTracker displays a success message:Figure 275.2 Token Template1. Login to the EventTracker Console.2. Click on Admin Parsing Rules.17

Integrate RSA SecurIDFigure 283. Click on Template and click import configuration Symbol.Figure 294. Locate the “.ettd” file and click on import.Figure 305. Templates are imported now successfully.Figure 3118

Integrate RSA SecurID5.3 Knowledge Object1. Click Knowledge objects under the Admin option in the EventTracker manager page.Figure 322. Next, click on the “import object” icon:Figure 333. A pop-up box will appear, click “Browse” in that and navigate to the file path with extension “.etko”button”Figure 3419

Integrate RSA SecurID4. List of available knowledge object will appear. Select the relevant files and click on “Import” button:Figure 355.4 Flex Reports1. In EventTracker Control Panel, select “Export/ Import utility” and select the “Import tab”. Then, clickReports option, and Choose “New (*.etcrx)”:Figure 3620

Integrate RSA SecurID2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click on the “Select File”button and navigate to the file path with a file having the extension “.etcrx”.3. Select all the relevant files and then click on the Import buttonFigure 374. EventTracker displays a success message:Figure 385.5 Category1. Click the category option, and then click the browse21button.

Integrate RSA SecurIDFigure 392. Locate the. iscat file, and then click the open button.3. To import category, click the Import button.4. EventTracker displays a success message.Figure 405. Click the OK button, and then click the Close button.5.6 Dashboard1. Login to EventTracker.2. Navigate to Dashboard My Dashboard.3. In “My Dashboard”, Click Import Button:22

Integrate RSA SecurIDFigure 41Figure 424. Select the browse button and navigate to the file path where the Dashboard file is saved and click onthe “Upload” button.5. Once completed, choose “Select All” and click on “Import” Button.Figure 4323

Integrate RSA SecurID6. Next, click “Customize dashlet” button as shown below:Figure 447. Now, put a text on the Search bar: “RSA” and then select the RSA SecurID Dash-lets and then click“Add” button.Figure 4524