Format and content of alert information for SIEM
In this topic, you will learn what alert information is sent to integrated SIEM solutions and in what format.
Basic alert information
The following table describes the basic alert information sent to SIEM services in JSON/CEF messages.
| Field | Description |
|---|---|
| version | Relevant for the CEF data format only. An integer identifying the CEF format version. The current CEF format version is 0. |
| hostName | clear.portnox.com |
| product | Portnox CLEAR |
| createdDate | Date and time when the alert was created, in the following format: MMM dd HH:mm:ss. |
| account | The relevant Cloud account or System if the event does not apply to a specific account. |
| signatureID | A unique integer identifier of the Cloud alert type. |
| name | The title of the alert as seen on the Alerts screen. |
| Severity | An integer indicating the severity of the event:
|
| Extension | A list of key-value pairs. The actual pairs depend on the alert type and not all pairs are used for all alerts. |
JSON extension information
The JSON messages sent to SIEM services include the following key-value pairs in addition to the Basic alert information.
| Field | Description |
|---|---|
| alertId | The unique identifier of the Portnox Cloud alert in the GUID format. |
| description | The full description of the alert. |
| source | The device name, the guest name, or system. |
| sourceId | The device ID, the guest name, or system. |
| deviceOS | The device operating system. |
| account | The account related to the alert. |
| ip | The last known device/guest IP address. |
| mac | The last known device/guest MAC address. |
| category | The alert category: Risk, Access, System, or Device Monitoring. |
| time | The alert creation time in the UNIX format. |
| group | The group assigned to the device. |
| policy | The risk assessment policy applicable to the device. |
| agentType | Indicates whether the device has AgentP installed or is agentless. |
| riskScore | The device risk score. |
| policyAction | The policy action applied to the device during authentication: allow, alert, or deny. |
| nasType | The type of NAS to which the device was last connected: VPN, Wired, Wireless, Okta, or DirectAccess. |
| nas | The NAS name or the NAS IP address or the NAS MAC address |
| vlan | The VLAN to which the device was last connected. |
| port | The number of the port to which the device was last connected. |
| authNType | The authentication type, such as EAP_PEAP, MS-CHAPv2, etc. |
| network | The name of the network to which the device was last connected. |
CEF extension information
The CEF messages sent to SIEM services include the following key-value pairs in addition to the Basic alert information.
| Field | Description |
|---|---|
| Common fields | |
| act | The alert category: Risk, Access, System, or Device Monitoring. |
| dst | The last known device/guest IP address. |
| dhost | The device name, the guest name, or system. |
| dmac | The last known device/guest MAC address. |
| duid | The device ID, the guest name, or system. |
| duser | The account related to the alert. |
| dpt | The number of the port to which the device was last connected. |
| start | The alert creation time in the UNIX format. |
| src | The NAS name or the NAS IP address or the NAS MAC address |
| msg | The full description of the alert. |
| Custom fields | |
| cn1 | The device risk score. |
| cn1label | riskScore |
| cs1 | The group assigned to the device. |
| cs1label | group |
| cs2 | The risk assessment policy applicable to the device. |
| cs2label | policy |
| cs3 | The policy action applied to the device during authentication: allow, alert, or deny. |
| cs3label | policyAction |
| cs4 | The authentication type, such as EAP_PEAP, MS-CHAPv2, etc. |
| cs4label | authNType |
| cs5 | The name of the network to which the device was last connected |
| cs5label | The name of the network to which the device was last connected. |
| cs6 | Device operating system |
| cs6label | The device operating system. |
Examples of alert messages
JSON example:
{
"hostName": "clear.portnox.com",
"product": "Portnox™ CLEAR",
"createdDate": "Oct 24 12:58:12",
"account": "System",
"signatureID": "17092",
"name": "RADIUS failed to authenticate device due to unsupported authentication type",
"severity": 9,
"Extension":
{
"alertId": "98a8f169-9115-4c88-9420-90b8c2d52b5c",
"category": "Access",
"description": "RADIUS failed to authenticate unknown device with MAC address
'7C:0B:C6:25:69:4B' to Wireless Net1 network due to wrong authentication type 'NAK'.
Recommended actions: Make sure this was not a malicious attempt.
Check you network settings.",
"time": "1540385892610",
"sourceId": "system",
"source": "system",
"nasType": "Wireless",
"nas": "2A-79-A2-1F-21-58",
"port": "unknown",
"vlan": "unknown",
"authNType": "MS-CHAP V2",
"network": "Net1"
}
}
CEF example:
Oct 24 13:36:37 clear.portnox.com CEF:0|Portnox CLEAR|CLEAR|Fall’18|17026|Device risk
score reached "Alert" level|9|act=Risk dst=192.168.2.1 dhost=MY-PC dmac=2A-79-A2-1F-21-
58 duid=D1E3E4A5-561D-4C3A-A632-6006468B753E duser=testuser@tesrorg.com
start=1540388197190 msg=The device reached a risk score of 100 which triggered an
“Alert” action, due to the following violations of the TEST RISK POLICY policy: The
device’s current location 'Malta' violates the organization’s geolocation policy
cn1=100 cn1Label=riskScore cs1=Default cs1Label=group cs2=System Default Policy
cs2Label=policy cs3=Alert cs3Label=policyAction cs6=Android cs6Label=deviceOS