Appendix — Syslog Samples
The following table shows a few OT Security Syslog message samples:
| <12>Jan 12 02:50:45 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.17.40|115|Network Baseline Deviation|7|dvchost=Tenable OT Security rt=Jan 12 2024 02:50:45 duser=lab-files-001.lab.security.com suser=col-lab-esx-001.corp.security.com proto=TCP dst=xxx.xx.xx.xx src=xx.xx.xx.xx dpt=2049 cfp1Label=cluster_log_id cfp1=1011157 externalId=1011162 cs6Label=policy_name cs6=PLC Baseline Deviation Detection cat=NetworkEvents |
| <14>Jan 6 20:59:02 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.17.40|30|Rockwell Code Upload|3|dvchost=Tenable OT Security rt=Jan 6 2024 20:59:02 duser=Infusion_Mold_3 suser=Tenable.ot - FT/HA outcome=success dst=xx.xx.xx.xx dmac=00:1d:9c:db:d9:6b src=xx.xx.xx.xx smac=00:e0:09:ca:92:01 cfp1Label=cluster_log_id cfp1=995992 externalId=995992 cs6Label=policy_name cs6=Rockwell Code Upload cat=ConfigurationEvents |
| <14>Dec 25 20:59:05 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.17.24|2|SIMATIC Code Upload|3|dvchost=Tenable OT Security rt=Dec 25 2023 20:59:05 duser=PLC_1511C-1 suser=Tenable.ot - FT/HA outcome=success dst=xx.xx.xx.xx dmac=28:63:36:ae:9c:a4 src=xx.xx.xx.xx smac=00:e0:09:ca:92:01 cfp1Label=cluster_log_id cfp1=955036 externalId=955036 cs6Label=policy_name cs6=SIMATIC Code Upload cat=ConfigurationEvents |
Examples for Policy and System Type Events
Policy Type Events
-
Configuration — PLC Stop
<14>Feb 20 09:34:04 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|139|Toyopuc PLC Stop|3|dvchost=Tenable OT Security rt=Feb 20 2024 09:34:04 duser=toyopuc_plc_32.indegy.local suser=Eng. Station #359 outcome=success dst=xx.xx.xx.xx dmac=00:60:53:10:f1:bc src=xx.xx.xx.xx smac=00:50:56:83:68:61 cfp1Label=cluster_log_id cfp1=1530 externalId=1530 cs6Label=policy_name cs6=dr8k43kmnxpe cat=ConfigurationEvents
-
Configuration — Code Download
<14>Feb 20 08:36:35 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|4|SIMATIC Hardware Configuration Download|3|dvchost=Tenable OT Security rt=Feb 20 2024 08:36:35 duser=Endpoint #123 suser=Eng. Station #145 outcome=success dst=xx.xx.xx.xx src=xx.xx.xx.xx cfp1Label=cluster_log_id cfp1=1419 externalId=1419 cs6Label=policy_name cs6=znvj8uaq4sy7 cat=ConfigurationEvents", -
Network — Spike in network traffic
<14>Feb 20 08:43:00 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|123|Spike in Network Traffic|3|dvchost=Tenable OT Security suser= rt=Feb 20 2024 08:43:00 cfp1Label=cluster_log_id cfp1=1458 externalId=1458 cs6Label=policy_name cs6=20ag3x01u6l0 cat=NetworkEvents", -
Network — FTP Successful Login
<14>Feb 20 08:36:39 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|170|FTP successful login|3|dvchost=Tenable OT Security rt=Feb 20 2024 08:36:39 duser=Server #119 suser=Eng. Station #5 proto=FTP dst=xx.xx.xx.xx dmac=00:60:34:80:b8:89 src=xx.xx.xx.xx smac=00:50:56:83:7b:b2 cfp1Label=cluster_log_id cfp1=1420 externalId=1420 cs6Label=policy_name cs6=b8f5bj2rr0qj cat=NetworkEvents", -
SCADA — Modbus illegal function
<14>Feb 20 08:34:27 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|120|Modbus Illegal Function|3|dvchost=Tenable OT Security rt=Feb 20 2024 08:34:27 duser=Eng. Station #135 suser=Comm. Adapter #32 proto=MODBUS_TCP dst=xx.xx.xx.xx src=xx.xx.xx.xx cfp1Label=cluster_log_id cfp1=1411 externalId=1411 cs6Label=policy_name cs6=fghvivzk2ou9 cat=ScadaEvents", -
Intrusion Detection System (IDS) — Port Scan
<14>Feb 20 08:29:10 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|99|Port Scan|3|dvchost=Tenable OT Security rt=Feb 20 2024 08:29:10 duser=DCS #29 suser=OT Server #131 proto=TCP dst=xx.xx.xx.xx src=xx.xx.xx.xx cs5Label=ports cs5=3945,340,1038,1248,8087,9040,10616,1041,1244,9876,7627,3269,2260,12174,6389 (27 more) cfp1Label=cluster_log_id cfp1=1406 externalId=1406 cs6Label=policy_name cs6=mk4dbhjg3jkl cat=NetworkThreats", -
IDS — Metasploit
<14>Feb 20 09:29:03 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|119|Intrusion Detection|3|dvchost=Tenable OT Security rt=Feb 20 2024 09:29:03 duser=xx.xx.xx.xx suser=Endpoint #315 proto=TCP dst=xx.xx.xx.xx src=xx.xx.xx.xx dpt=42228 cn3Label=rule_sid cn3=2010395 cfp1Label=cluster_log_id cfp1=1519 externalId=1519 cs6Label=policy_name cs6=ylu28sr5vy5n cat=NetworkThreats msg=ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"
System Events
-
New API key
Feb 25 13:37:47 xx.xx.xx.xx CEF:0|Tenable|Tenable.ot|3.15.29|9999|SYSTEM_LOG|0|suser=admin msg=New API key 1058322394 created by admin. Role: AdminRole -
Keep_Alive
Feb 25 16:31:04 xx.xx.xx.xx CEF:0|Tenable|Tenable.ot|3.15.29|8888|KEEP_ALIVE|0|suser=admin msg=Keep Alive message from machine: CB_xx_BuildCustomCommitCore_custom_520.",
Syslog message contents:
Copy
{
"Modbus Illegal Function": {
"syslog": {
"raw message": "<14>Feb 20 08:34:27 xx.xx.xx.xx CEF:0|Tenable|Tenable OT Security|3.18.45|120|Modbus Illegal Function|3|dvchost=Tenable OT Security rt=Feb 20 2024 08:34:27 duser=Eng. Station #135 suser=Comm. Adapter #32 proto=MODBUS_TCP dst=xx.xx.xx.xx src=xx.xx.xx.xx cfp1Label=cluster_log_id cfp1=1411 externalId=1411 cs6Label=policy_name cs6=fghvivzk2ou9 cat=ScadaEvents",
"extensions": {
"dvchost": {
"values": "Tenable OT Security",
"description": "The device that sent the log entry"
},
"rt": {
"values": "Feb 20 2024 08:34:27",
"description": "time stamp"
},
"duser": {
"values": "Eng. Station #135",
"description": "destination name and defaults to ip address if no name"
},
"suser": {
"values": "Comm. Adapter #32",
"description": "source name and defaults to ip address if no name"
},
"proto": {
"values": "MODBUS_TCP",
"description": "Identifies the Layer-4 protocol used for the activity."
},
"dst": {
"values": "xx.xx.xx.xx",
"description": "destination ip"
},
"src": {
"values": "xx.xx.xx.xx",
"description": "source ip address"
},
"cfp1Label": {
"values": "cluster_log_id",
"description": "describes cfp1 field"
},
"cfp1": {
"values": "1411",
"description": "The Log ID used by Tenable.ot"
},
"externalId": {
"values": "1411",
"description": "The Log ID used by Tenable.ot"
},
"cs6Label": {
"values": "policy_name",
"description": "describes cs6 field"
},
"cs6": {
"values": "fghvivzk2ou9",
"description": "Tenable.ot uses this field to show the name of the Policy that generated the Event."
},
"cat": {
"values": "ScadaEvents",
"description": "Shows the general category of the Event."
}
},
"headers": {
"Timestamp": {
"values": "Feb2008:34:27",
"description": "The date and time that the log entry"
},
"Source IP": {
"values": "xx.xx.xx.xx",
"description": "The IP of the host that sent the Syslog"
},
"CEF:Version": {
"values": "CEF:0",
"description": "The mandatory prefix 'CEF:' followed by the CEF version number."
},
"Device Vendor": {
"values": "Tenable",
"description": "The vendor name for the sending device."
},
"Device Product": {
"values": "Tenable OT Security",
"description": "The product name for the sending device."
},
"Device Version": {
"values": "3.18.45",
"description": "The version name for the sending device."
},
"Device Event Class ID": {
"values": "120",
"description": "A unique identifier for each Event type. This can be a string or an integer. Device Event Class ID identifies the type of Event reported."
},
"Name": {
"values": "Modbus Illegal Function",
"description": "The name of the Event Class. "
},
"Severity": {
"values": "3",
"description": "A string or integer that reflects the importance of the Event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High."
}
}
}
}
},