L
IEBERMAN
I
DENTITY
M
ANAGEMENT
D
EPLOYMENT
G
UIDE
6.2
Securonix Proprietary Statement
This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.
The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners.
Securonix Copyright Statement
This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix.
However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix.
Copyright 2019 © Securonix All rights reserved.
Contact Information
Securonix, Inc.14665 Midway Rd. Ste. 100, Addison, TX 75001 www.securonix.com
855.732.6649
Revision History
Date Product Version Description
Table of Contents
Lieberman Identity Management 4 What is Lieberman Identity Management? 4 Supported Collection Methods 4
Format 4
Taxonomy 4
Functionality 5
Device Event Field Mapping 5
Lieberman Identity Management Mappings to SNYPR Fields 5 Device Event Severity Mapping 5
Device Event Categorization 6 Sample Line Filters 6 Import Activity Data into SNYPR 6
Step 1: Datasource 7 Step 2: Parsing & Normalization 7 Step 3: Conditional Actions 8 Step 4: Identity Attribution 9
Step 5: Summary 9
Lieberman Identity Management
This deployment guide provides information about how the Lieberman Identity Management events are parsed, normalized and categorized to SNYPR fields. In particular, it provides the following:
l Device event field mapping l Device event severity mapping l Device event categorization
To download the Lieberman Identity Management parser from the Securonix Threat Library, search Available Resources Types for Deployment by Vendor name or Functionality. Downloading the resource downloads the parser along with the applicable dashboards, reports, policies and threat models.
What is Lieberman Identity Management?
Lieberman Identity Management is a software which can automates the process of Identity access and provides a platform for secure privileged access management. It secures the repository for storing and managing access to privileged accounts and their associated passwords. It provides a platform where the Enterprise Random Password Manager can search the environment for systems, can determine the privileged accounts also it can set passwords to those accounts and manage access for those accounts. This process is ongoing to ensure all privileged accounts are pulled into the system to be managed. The collection of system information is done automatically as it is integrated with Active Directory for managing access policy to users and groups.
Supported Collection Methods
The method of collection is JSON.
Format
The format for this is Key Value Pair.
Taxonomy
Securonix Open Event Format (OEF) 1.0 is used. OEF is an event interoperability standard/schema. It
provides a set of standardized attributes (fields) for consistent representation of logging output from disparate security and non-security devices and applications. For additional information, refer to the Data Dictionary section on the Securonix documentation portal.
Functionality
The functionality of Lieberman Identity Management is Access / Privileged User. See Use Cases by Functionality for a complete list of policies for this functionality.
Device Event Field Mapping
This section lists the mappings of SNYPR fields to the device fields.
Lieberman Identity Management Mappings to SNYPR
Fields
Lieberman Identity Management Field SNYPR Field
Event.EventID additionaldetails1 Event.AppSpecificEventID baseeventid Event.OriginatingAccount sourceusername Event.OriginatingSystem devicehostname Event.OriginatingApplicationVersion additionaldetails2 Event.mapContextVariables.value7 additionaldetails3 severity deviceseverity @timestamp DATETIME message message host deviceaddress
Target User additionaldetails4
AccountName accountname
TransactonString transactionstring1
Device Event Severity Mapping
The SNYPR category severity fields are mapped to the device severity fields.
Category Severity Device Severity
Alert Very High=0 ,1;
Critical High=2.3;
Warning Medium=4,5;
Info low-6,7
Device Event Categorization
This section contains the rules used to categorize the device events.
Rule Name Rule Category
Object
Category Behavior
Category Outcome
PasswordAccessSuccess Event.EventID Equal To EVENT_ID_ PASSWORD_ACCESS_GRANTED
password access success
PasswordAccessSuccess Event.EventID Equal To EVENT_ID_ PASSWORD_RETRIEVED
password access success
InvalidAuthToken Event.EventID Equal To EVENT_ID_ WEBAPP_INVALID_AUTH_TOKEN
user Authentication failure
Sample Line Filters
Import Activity Data into SNYPR
Step 1: Datasource
On this screen, provide the information to configure the datasource; including the vendor, device, collection method, and parsing technique. The information you provide will differ, depending on the datasource, and can be seen in the following examples.
Step 2: Parsing & Normalization
Once you’ve configured the connection, create line filters to parse the data into individual attributes and map them to corresponding attributes in the Securonix open event schema. The number and type of line filters you add depend on the data source type.
Step 3: Conditional Actions
In this section, you can specify the actions to perform when events meet conditions specified in filters. Multiple actions can be specified on the same condition.
Step 4: Identity Attribution
This step is used to create rules to correlate activity accounts to user identities. The rules will differ based on the account naming conventions in your environment.
Step 5: Summary
Lieberman Identity ManagementReferences
https://www.beyondtrust.com/docs/archive/privileged-identity/documents/5-5-3-0/red-im-administrator-guide-5-5-3-0.pdf
https://www.idmworks.com/identity-access-management/lieberman-software-iam-solutions/