Syslog Alerts

Some organizations use SIEM (Security Information and Event Management) to gather logs on potential threats and security incidents. Tenable Identity Exposure can push security information related to Active Directory to the SIEM Syslog servers to improve their alerting mechanisms.

Manage Syslog alerts

Add an alert

  1. In Tenable Identity Exposure, click System > Configuration > Syslog.

  2. Click the Add a Syslog alert button on the right.

    The Add a Syslog alert pane appears.

  3. Under the Main Information section, provide the following:

    • If your network uses Secure Relay: In the Relay box, click the arrow to select a Relay to communicate with your SIEM from the drop-down list.

    • In the Collector IP address or hostname box, type the server IP or hostname that receives notifications.

    • In the Port box, type the port number for the collector.

    • In the Protocol box, click the arrow to select either UDP or TCP.

      • If you choose TCP, select the TLS option checkbox if you want to enable the TLS security protocol to encrypt the logs.

    • In the Description box, type a brief description for the collector.

  1. In the Trigger the alert drop-down list, select one:

    • On changes: Tenable Identity Exposure sends out a notification whenever an event that you specified occurs.

    • On each deviance: Tenable Identity Exposure sends out a notification on each deviant IoE detection.

    • On each attack: Tenable Identity Exposure sends out a notification on each deviant IoA detection.

    • On each health check status changes: Tenable Identity Exposure sends out a notification whenever a health check status changes.

  1. In the Profiles box, click to select the profile to use for this Syslog alert (if applicable).

  2. Send alerts when deviances are detected during the initial analysis phase: do one of the following (if applicable):

    • Select the checkbox: Tenable Identity Exposure sends out a large volume of Syslog messages when a system reboot triggers alerts.

    • Unselect the checkbox: Tenable Identity Exposure does not send out Syslog messages when a system reboot triggers alerts.

  1. Severity threshold: click the arrow of the drop-down box to select the threshold at which Tenable Identity Exposure sends alerts (if applicable).

  2. Depending on the alert trigger you selected previously:

    • Event changes: If you set alerts to trigger on changes, type an expression to trigger the event notification.

      You can either click on the icon to use the search wizard or type a query expression in the search box and click Validate. For more information, see Customize Trail Flow Queries.

      NoteTenable Identity Exposure applies this filter as soon as it receives events to forward them to Syslog before performing any additional security analysis. As a result, filters that rely on enriched or post-processed data will not work at this stage.

    • Indicators of Exposure: If you set alerts to trigger on each deviance, click the arrow next to each severity level to expand the list of Indicators of Exposure and select the ones for which to send alerts.

    • Indicators of Attack: If you set alerts to trigger on each attack, click the arrow next to each severity level to expand the list of Indicators of Attack and select the ones for which to send alerts.

    • Health check status changes: Click Health Checks to select the health check type to trigger an alert, and click Filter on selection.

  1. Click the Domains box to select the domains for which Tenable Identity Exposure sends out alerts.

    The Forests and Domains pane appears.

    1. Select the forest or domain.

    2. Click Filter on selection.

  1. Click Test the configuration.

    A message confirms that Tenable Identity Exposure sent a Syslog alert to the server.

  2. Click Add.

    A message confirms that Tenable Identity Exposure created the Syslog alert.

Edit an alert

  1. In Tenable Identity Exposure, click System > Configuration > Syslog.

  2. In the list of Syslog alerts, hover over the one you want to modify and click the icon at the end of the line.

    The Edit a Syslog alert pane appears.

  3. Make the necessary modifications as described in the previous procedure "To add a new Syslog alert".

  4. Click Edit.

    A message confirms that Tenable Identity Exposure updated the alert.

Delete an alert

  1. In Tenable Identity Exposure, click System > Configuration > Syslog.

  2. In the list of Syslog alerts, hover over the one you want to delete and click the icon at the end of the line.

    A message asks you to confirm the deletion.

  3. Click Delete.

    A message confirms that Tenable Identity Exposure deleted the alert.

Map Syslog data to a Tenable Identity Exposure alert

This procedure explains how to map Syslog data from your SIEM to Tenable Identity Exposure attack alerts.

Example:

Copy 
<116>feb  04 10:31:01 qradar.alsid.app TenableAD[4]: "2" "1337" "Alsid Forest" "alsid.corp" "DC Sync" "medium" "LABFAB-TOOLS" "10.200.200.5" "LABFAB-DC" "10.200.200.4" "user"="dcadmin" "dc_name"="LABFAB-DC"

Each Syslog event from Tenable follows a standard format where specific fields are enclosed in quotation marks ("). These fields represent different event attributes such as alert ID, domain, threat type, risk level, hostnames, IP addresses, and more.

Part # Field Value Description
1 feb 04 10:31:01 Timestamp (Event time)
2 "2" Severity Level
3 "1337" Alert ID
4 "Alsid Forest" Forest Name
5 "alsid.corp" Domain Name
6 "DC Sync" Attack / Tenable Codename
7 "medium" Risk Level
8 "LABFAB-TOOLS" Source Hostname
9 "10.200.200.5" Source IP Address
10 "LABFAB-DC" Destination Hostname (Target DC)
11 "10.200.200.4" Destination IP Address
12 "user"="dcadmin" Account Used in Attack
13 "dc_name"="LABFAB-DC" Domain Controller Name

To map Syslog data to attack information:

  1. Filter by Attack Codename: select events with the value "DC Sync" (Part 6 – Attack Codename).

  2. Filter by Date: narrow events to the timestamp feb 04 10:31:01 (Part 1 – Timestamp).

  3. Match Exact Timestamp: verify that the event timestamp matches feb 04 10:31:01 (Part 1 – Timestamp).

  4. Verify Source and Destination: ensure the attack details match:

    • Source: "LABFAB-TOOLS" "10.200.200.5" (Parts 8 & 9)

    • Destination: "LABFAB-DC" "10.200.200.4" (Parts 10 & 11)

See also