Log enhancements for real-time analysis
1 vote
Are there any plans for enriching the server-side application logs with more records? Trying to do non-forensic analysis with Azure Sentinel or any other tool is impossible with the logs provided by DVLS. What would make the log more friendly is als getting the name resolution of UserID, FolderID, etc
Below is a sample of a typical PAM log entry
PAM - Message: Check-out active. Varaktighet: 18h00. , MessageType: 99-Check-out active, SubMessageType: MessageContent: {"duration":1080} CredentialID: 1b93e7f5-fa72-4791-9479-41e9cdd8b566, FolderID: 1b93e7f5-fa72-4791-9479-41e9cdd8b566, CheckoutID: 6ca430ce-c90a-4bd4-871c-22637eff32c9, ResetPasswordScheduleID: , TagID: , UserID: d02ee09f-a172-4081-ab73-dad3770227d7, DateTime: 2024-05-29 13:42:45, Username: rdm-user@contoso.com, CheckoutPolicyID: , OtpTemplateID:All Comments (3)
Hi Simon,
François (who is out fishing these days, hence my response) sat with our very own opsec team to look at how they were using the logs and came back from the experience and basically said that we were not helping enough. (in not so nice terms)
Sadly, our plate is overflowing and we do not know when we'll be able to improve this.
We do have requests that will be handled as bugs and processed more rapidly, but not for what you're asking.
Let me discuss with my colleagues and we will get back to you.
Best regards,
Maurice
Hello,
I was unable to reply to you direct message for some reason so I'll post my reply here
I'm not sure if this even is possible to catch this with a SQL QUERY. Keep in mind that this would be used proactively and not when are are investigating known breach when we know what we are looking for in terms of perhaps user och client. What we were looking into was if we could use the data in any given log post or patterns in several log post, to try to determine if something was wrong.
For example, RDM user %Simon% is checking out PAM account with the name %John%, or RDM user Simon has viewed 50 passwords within 1min etc.
Basically behavior analytics would be a better term, and that would probably belong inside of the application rather than trying to do this with logs. I know you have BA feature, but it doesn't cover these use cases.
Regards,
Simon
Hi Simon,
François (who is out fishing these days, hence my response) sat with our very own opsec team to look at how they were using the logs and came back from the experience and basically said that we were not helping enough. (in not so nice terms)
Sadly, our plate is overflowing and we do not know when we'll be able to improve this.
We do have requests that will be handled as bugs and processed more rapidly, but not for what you're asking.
Let me discuss with my colleagues and we will get back to you.
Best regards,
Hi,
I totally get what you want, in fact I wanted it myself and played around with a ML engine to integrate in our core, We did add more data to our logs to catch the context, but even after that, I would only get really obvious results, meaning that they needed to be really abnormal.
The challenge was then to better isolate the outliers to get the next level, and that’s where I was stuck. We passed the code to another to see what could be improved but it didn’t seem promising enough to dedicate more time to it.
Maybe next year…. Local LLMs are becoming easier to deploy and can run on commodity hardware, I’m keeping my fingers crossed because behavior analytics would be an excellent addition to our PAM
Best regards
Maurice