Syslog Reporting
  • 16 Oct 2020
  • 6 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Syslog Reporting

  • Print
  • Share
  • Dark
    Light

SecureCircle has 2 sources of reporting as of v2.10:

  1. Backend collects data on every tracker request and reports it with a requestSignature value that is unique for each request type.
  2. Client collects events on and uses backend to report them to SIEM

Backend reporting

Common info

Reported events in the following sections will contain the following fields:

Backend info

host: hostname + ip address of backend instance that reports; e.g. "dev.securecircle.io:172.19.0.6"
hostname: hostname of backend instance that reports; e.g. "dev.securecircle.io"
ip: ip address of backend instance that reports; e.g. "172.19.0.6"

User info

clientIp: ip address of the user
userEmail: john.doe@gmail.com
userItemId: rm-a8aa8ae1-8661-11ea-8a93-edcbd1515e2e
userName: John Doe

Endpoint info

authType: MEMBER_ENDPOINT
endpointId: c42dd8a1-8661-11ea-81b1-0193b279b55e
endpointName: John's Laptop
endpointType: WINDOWS

Important Backend Events

Info

File has been accessed file and client has requested the encryption keys from the server
Search by "POST_/v3/files/get"
requestSignature: POST_/v3/files/get

// circle of file
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle

// info of file that was accessed
fileId: {03a93168-8665-11ea-81b1-c1fb00e730d4}
fileKeyProviderName: Local Database Key Storage
fileNameFromRequest: ImportantInfo.docx
filePath: \\Users\JDoe\files\

// process that touched file
processId: {cd690177-6d7a-11ea-9516-6dab1c893241}
processInfo: {"name":"fhagent.exe","impname":"fhagent.exe","ver":"1.3.3.169","cert":{"status":"Trusted","certHash":"999f447f09bfb6cfb2b20b395a8c6f85","signHash":"2dd450dfd6c45afd4cc11283adfdc01d","serial":"05240C2FDFCABA1854A72BB5BC1C1EEF","desc":"SecureCircle Service SSL ADS AES256 Key/File CAROOT MT V2 UTF8 FWLL DTAGS","prod":"SecureCircle","inner":"fhagent.exe","strong":"fhagent.exe","original":"fhagent.exe","executable":"fhagent.exe","publisher":"Secure Circle, LLC","signers":["Secure Circle, LLC","DigiCert EV Code Signing CA (SHA2)","DigiCert"]}}
processName: fhagent.exe
processOsType: WINDOWS

User removed file from Circle

Info

Search by "POST_/v3/fileHashes/add"

requestSignature: POST_/v3/fileHashes/add

// circle file had been removed from
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle

// info about content that was removed from circle
fileHashName: ImportantInfo.docx
fileHashValue: 69ffb3e688c7623f384abe67dcbd8d71676e4a73
hashingAlgorithm: sha1

Important Client Events

Info

File was encrypted
Search by "POST_/v3/report" "Encrypt"
requestSignature: POST_/v3/report

    // circle
    circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
    circleName: Important Circle

    // absolute path of encrypted file
    details: {"message":"\\Device\\HarddiskVolume3\\Users\\User\\Desktop\\magic\\hello\\b\\batch.bat"}
    epochTime: 1587759046
    timestampUTC: 2020-04-24T20:10:46Z
    type: Encrypt
Info

File was decrypted
search by "POST_/v3/report" "Decrypt"

requestSignature: POST_/v3/report

// circle
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle

// absolute path of decrypted file
details: {"message":"\\Device\\HarddiskVolume3\\Users\\User\\Desktop\\magic\\hello\\b\\batch.bat"}
epochTime: 1587759046
timestampUTC: 2020-04-24T20:10:46Z
type: Decrypt
Info

File was encrypted because its content is similar to content of a previously protected file via MagicDerivative
search by "POST_/v3/report" "FileHasBeenDerivedFrom"

requestSignature: POST_/v3/report

// circle of file
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle

// contains info about derived file
details: {"fid":"{f0bf414b-85d7-11ea-81b1-4f2c83f83d5c}","parentFid":"{0db62836-859e-11ea-81b1-9f2b791231e1}","cid":"{6b21eb0f-8bbf-11e9-b312-6b9034e1afd5}","domain":"dev.securecircle.io","name":"E:\\Repo\\local_repo1\\add-patch.c","hash":"c95438be7f6b1b54cfbddc47c68d5ee9e194f947","similarity":87.88}
epochTime: 1587759046
timestampUTC: 2020-04-24T20:10:46Z
type: FileHasBeenDerivedFrom

SecureSend events

Every reported event in section 4 will provide next fields:

Backend info

host: hostname + ip address of backend instance that reports; e.g. "dev.securecircle.io:172.19.0.6"
hostname: hostname of backend instance that reports; e.g. "dev.securecircle.io"
IP: ip address of backend instance that reports; e.g. "172.19.0.6"

User info

clientIP: ip address of the user

Info

User SecureSend file
Search by "POST_/v3/shares/email/create"

requestSignature: POST_/v3/shares/email/create

// endpoint details
clientEndpointId: 64c2c0e2-5db5-11ea-b44b-ebd1a36ab01e
endpointName: John's Work Laptop
endpointType: WINDOWS

// endpoint owner details for AD endpoint
  authType: SHARED_ENDPOINT
  clientUserSid: S-1-5-21-2014836877-3571182175-74761877-1104
// OR
// endpoint owner details for Email endpoint
  authType: MEMBER_ENDPOINT
  userEmail: john.doe@gmail.com
  userItemId: rm-a8aa8ae1-8661-11ea-8a93-edcbd1515e2e
  userName: John Doe

// share details
actor: john.doe@gmail.com
participants: [{"itemId":"8bc9b4a5-867c-11ea-a52f-175d3cd8dc50","shareItemId":"8bc85514-867c-11ea-a52f-f32372f9e591","type":"RECIPIENT","email":"john.doe.jr@gmail.com"}]
shareItemId: 8bc85514-867c-11ea-a52f-f32372f9e591
shareName: Share of 'john.doe@gmail.com'
sharedFiles: [{"id":581,"itemId":"{8b3b575d-867c-11ea-a52f-0d8de03694f4}","name":"file-sample_1MB.docx","active":true,"ownerType":"AD","owner":"S-1-5-21-2014836877-3571182175-74761877-1104","originCircleItemId":"{acbc3dcf-0002-4207-8c96-e6b5197207cf}","created":1587768006,"modified":1587768006},{"id":582,"itemId":"{8b3b575e-867c-11ea-a52f-956ca0d48702}","name":"file-sample_10MB.docx","active":true,"ownerType":"AD","owner":"S-1-5-21-2014836877-3571182175-74761877-1104","originCircleItemId":"{00000000-0000-0000-0000-111111111111}","created":1587768006,"modified":1587768006}]
Info

SecureSend file was accessed by recipient
Search by "GET_/access.html"

requestSignature: GET_/access.html

// who access file
actorType: RECIPIENT
actorEmail: john.doe.jr@gmail.com
actorItemId: d9ebf4ea-8587-11ea-a52f-9f982b49c794

// which files was accessed
accessedFiles: {d99c4e51-8587-11ea-a52f-dffb82dfc27e},{d99c4e52-8587-11ea-a52f-d73948ef72ce}

// share details
shareItemId: d9e9aaf9-8587-11ea-a52f-1d1d219628fe
shareName: Share of 'john.doe@gmail.com'
shareActive: true

// confirmation id that was used to access this files
confirmationItemId: f77b18a6858711eab8d905a44d961dda

// converted that was used to transform this file into pdf
converterUrl: <https://qa.securecircle.io/converter>

// is wopi editing was allowed
wopiEnabled: true
wopiUrl: <https://internal.wopi.securecircle.com>
Info

Share recipient requesting second factor check (sending email to address for now) to access decryption portal
Search by "POST_/requestConfirmation"

requestSignature: POST_/requestConfirmation

// Endpoint information is sent to server
// confirmationItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// actorEmail: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com
// actorItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// shareItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// shareName: Share of 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com
Info

Render confirmation page to access decryption portal
Search by "GET_/confirmation.html"

requestSignature: GET_/confirmation.html

// Endpoint information is sent to server
// recipientEmails: ["jXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com"]
Info

// shareItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Share recipient compled Second Factor check (click the link in email)
Search by "GET_/confirmAccess"

requestSignature: GET_/confirmAccess

// Endpoint information is sent to server

Client & Server configuration synchronization events

The client will request updates from the server to get the last policy and permissions information.

Info

Client requests timestamps for policies (e.g. firewall, derivative, cache TTL) as related to Circles
Search by "POST_/v3/circles/getLastModified"

requestSignature: POST_/v3/circles/getLastModified

// User and endpoint information is sent to server
Info

Client will provide server a new process name and information which is unknown on the server
Search by "POST_/v3/processes/add"

requestSignature: POST_/v3/processes/add

// User, Circle and endpoint information is sent to server
// Client will send processInfo_O details for new process
"name":"outlook.exe"
"ver":"16.0.11929.20752"
"cert": 
{"status":"Trusted"
"certHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"signHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"serial":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"desc":"Microsoft Outlook"
"prod":"Microsoft Outlook"
"inner":"Outlook"
"strong":"Outlook"
"original":"Outlook.exe"
"executable":"outlook.exe"
"publisher":"Microsoft Corporation"
"signers":["Microsoft Corporation"
"Microsoft Code Signing PCA 2010"
"Microsoft Root Certificate Authority 2010"}
Info

Client requests Application (Process) list updates
Search by "POST_/v3/processes/getUpdate"

requestSignature: POST_/v3/processes/getUpdate

// User and endpoint information is sent to server
Info

Client requests its status (ACTIVE/UNCONFIRMED/DISABLED) for all Circles
Search by "POST_/v3/endpoints/status"

requestSignature: POST_/v3/endpoints/status

// endpoint information is sent to server
Info

Client requests updated Circle list
Search by "POST_/v3/circles/getUpdate"

requestSignature: POST_/v3/circles/getUpdate

// User and endpoint information is sent to server
Info

Client requests list of files that were removed from Circles
Search by "POST_/v3/fileHashes/getUpdate"

requestSignature: POST_/v3/fileHashes/getUpdate

// User, Circle and endpoint information is sent to server
Info

Client requests derivative configuration (threshold, file extensions, ...)
Search by "POST_/v3/derivativeConfig/get"

requestSignature: POST_/v3/derivativeConfig/get

// User, Circle and endpoint information is sent to server
Client requests updated firewall rules
Search by "POST_/v3/firewallRules/getUpdate"

requestSignature: POST_/v3/firewallRules/getUpdate

// User, Circle, and endpoint information is sent to server
// Client will send processInfo, processID, processName, and processOsType details 
processInfo: 
{"name":"python.exe"
"ver":"3.8.2150.1013"
"cert": {"status":"Trusted"
"certHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"signHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"serial":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"desc":"Python"
"prod":"Python"
"inner":"Python Console"
"strong":"Python Console"
"original":"python.exe"
"executable":"python.exe"
"publisher":"Python Software Foundation"
"signers":["Python Software Foundation"
"DigiCert SHA2 Assured ID Code Signing CA","DigiCert"]}
Info

Client requests additional spare envelope.
Search by "POST_/v3/envelopes/get"

requestSignature: POST_/v3/envelopes/get

// User, Circle, and endpoint information is sent to server
Info

Client provides details to server about 'previously removed file added to Circle' event. After this event is reported this file on other clients will be available for MagicDerivative
Search by "POST_/v3/fileHashes/remove"

requestSignature: POST_/v3/fileHashes/remove

// User, Circle, and endpoint information is sent to server
// fileHashValue: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Client provides server a new process name & info
Search by "POST_/v3/processes/addOne"

requestSignature: POST_/v3/processes/addOne

// User, Circle and endpoint information is sent to server
// Client will send processInfo_O details for new process
"name":"outlook.exe"
"ver":"16.0.11929.20752"
"cert": 
{"status":"Trusted"
"certHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"signHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"serial":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"desc":"Microsoft Outlook"
"prod":"Microsoft Outlook"
"inner":"Outlook"
"strong":"Outlook"
"original":"Outlook.exe"
"executable":"outlook.exe"
"publisher":"Microsoft Corporation"
"signers":["Microsoft Corporation"
"Microsoft Code Signing PCA 2010"
"Microsoft Root Certificate Authority 2010"}
Info

Client requests updated firewall rules
Search by "POST_/v3/firewallRulesConfiguration/getUpdate"

requestSignature: POST_/v3/firewallRulesConfiguration/getUpdate

// User, Circle, and endpoint information is sent to server
Info

Client is registering the device
Search by "POST_/v3/endpoints/register"

requestSignature: POST_/v3/endpoints/register

// Endpoint information is sent to server
Info

Client is asking for url to download additional installation packages. This is needed to reduce origin installer file size to avoid problems with MS Firewall, etc.
Search by "POST_/v3/install/getConfiguration"

requestSignature: POST_/v3/install/getConfiguration

// Endpoint information is sent to server

Example SecureSend Splunk Search & Reports

A simple SecureSend report that will show sender, recipient(s) and the file(s) sent.

requestSignature="POST_/v3/shares/email/create" | rename actor as Sender, participants as Recipients, sharedFiles as Files | table Sender, Recipients, Files

The table will display the Sender, Recipient(s), and File(s). The results can be further parsed as need.
splunk1.png

A simple SecureSend report to show recipient(s) action.

requestSignature="GET_/access.html" | where  isnull(error) | table actorEmail, shareItemId, shareName

This table will show action taken by the recipient (actorEmail), which shareID and shareName was accessed. The columns can be renamed using the previous example as a guide. A further drill down into the shareID can provide the sender, other recipients, and files.
splunk2.png

Was This Article Helpful?