Syslog Reporting
- Updated On 16 Oct 2020
- 6 Minutes To Read
-
Print
-
DarkLight
SecureCircle has 2 sources of reporting as of v2.10:
- Backend collects data on every tracker request and reports it with a requestSignature value that is unique for each request type.
- Client collects events on and uses backend to report them to SIEM
Backend reporting
Common info
Reported events in the following sections will contain the following fields:
Backend info
host: hostname + ip address of backend instance that reports; e.g. "dev.securecircle.io:172.19.0.6"
hostname: hostname of backend instance that reports; e.g. "dev.securecircle.io"
ip: ip address of backend instance that reports; e.g. "172.19.0.6"
User info
clientIp: ip address of the user
userEmail: john.doe@gmail.com
userItemId: rm-a8aa8ae1-8661-11ea-8a93-edcbd1515e2e
userName: John Doe
Endpoint info
authType: MEMBER_ENDPOINT
endpointId: c42dd8a1-8661-11ea-81b1-0193b279b55e
endpointName: John's Laptop
endpointType: WINDOWS
Important Backend Events
File has been accessed file and client has requested the encryption keys from the server
Search by "POST_/v3/files/get"
requestSignature: POST_/v3/files/get
// circle of file
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle
// info of file that was accessed
fileId: {03a93168-8665-11ea-81b1-c1fb00e730d4}
fileKeyProviderName: Local Database Key Storage
fileNameFromRequest: ImportantInfo.docx
filePath: \\Users\JDoe\files\
// process that touched file
processId: {cd690177-6d7a-11ea-9516-6dab1c893241}
processInfo: {"name":"fhagent.exe","impname":"fhagent.exe","ver":"1.3.3.169","cert":{"status":"Trusted","certHash":"999f447f09bfb6cfb2b20b395a8c6f85","signHash":"2dd450dfd6c45afd4cc11283adfdc01d","serial":"05240C2FDFCABA1854A72BB5BC1C1EEF","desc":"SecureCircle Service SSL ADS AES256 Key/File CAROOT MT V2 UTF8 FWLL DTAGS","prod":"SecureCircle","inner":"fhagent.exe","strong":"fhagent.exe","original":"fhagent.exe","executable":"fhagent.exe","publisher":"Secure Circle, LLC","signers":["Secure Circle, LLC","DigiCert EV Code Signing CA (SHA2)","DigiCert"]}}
processName: fhagent.exe
processOsType: WINDOWS
User removed file from Circle
Search by "POST_/v3/fileHashes/add"
requestSignature: POST_/v3/fileHashes/add
// circle file had been removed from
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle
// info about content that was removed from circle
fileHashName: ImportantInfo.docx
fileHashValue: 69ffb3e688c7623f384abe67dcbd8d71676e4a73
hashingAlgorithm: sha1
Important Client Events
File was encrypted
Search by "POST_/v3/report" "Encrypt"
requestSignature: POST_/v3/report
// circle
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle
// absolute path of encrypted file
details: {"message":"\\Device\\HarddiskVolume3\\Users\\User\\Desktop\\magic\\hello\\b\\batch.bat"}
epochTime: 1587759046
timestampUTC: 2020-04-24T20:10:46Z
type: Encrypt
File was decrypted
search by "POST_/v3/report" "Decrypt"
requestSignature: POST_/v3/report
// circle
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle
// absolute path of decrypted file
details: {"message":"\\Device\\HarddiskVolume3\\Users\\User\\Desktop\\magic\\hello\\b\\batch.bat"}
epochTime: 1587759046
timestampUTC: 2020-04-24T20:10:46Z
type: Decrypt
File was encrypted because its content is similar to content of a previously protected file via MagicDerivative
search by "POST_/v3/report" "FileHasBeenDerivedFrom"
requestSignature: POST_/v3/report
// circle of file
circleId: {69c38d1c-0002-4ae9-8461-dbe5803ae990}
circleName: Important Circle
// contains info about derived file
details: {"fid":"{f0bf414b-85d7-11ea-81b1-4f2c83f83d5c}","parentFid":"{0db62836-859e-11ea-81b1-9f2b791231e1}","cid":"{6b21eb0f-8bbf-11e9-b312-6b9034e1afd5}","domain":"dev.securecircle.io","name":"E:\\Repo\\local_repo1\\add-patch.c","hash":"c95438be7f6b1b54cfbddc47c68d5ee9e194f947","similarity":87.88}
epochTime: 1587759046
timestampUTC: 2020-04-24T20:10:46Z
type: FileHasBeenDerivedFrom
SecureSend events
Every reported event in section 4 will provide next fields:
Backend info
host: hostname + ip address of backend instance that reports; e.g. "dev.securecircle.io:172.19.0.6"
hostname: hostname of backend instance that reports; e.g. "dev.securecircle.io"
IP: ip address of backend instance that reports; e.g. "172.19.0.6"
User info
clientIP: ip address of the user
User SecureSend file
Search by "POST_/v3/shares/email/create"
requestSignature: POST_/v3/shares/email/create
// endpoint details
clientEndpointId: 64c2c0e2-5db5-11ea-b44b-ebd1a36ab01e
endpointName: John's Work Laptop
endpointType: WINDOWS
// endpoint owner details for AD endpoint
authType: SHARED_ENDPOINT
clientUserSid: S-1-5-21-2014836877-3571182175-74761877-1104
// OR
// endpoint owner details for Email endpoint
authType: MEMBER_ENDPOINT
userEmail: john.doe@gmail.com
userItemId: rm-a8aa8ae1-8661-11ea-8a93-edcbd1515e2e
userName: John Doe
// share details
actor: john.doe@gmail.com
participants: [{"itemId":"8bc9b4a5-867c-11ea-a52f-175d3cd8dc50","shareItemId":"8bc85514-867c-11ea-a52f-f32372f9e591","type":"RECIPIENT","email":"john.doe.jr@gmail.com"}]
shareItemId: 8bc85514-867c-11ea-a52f-f32372f9e591
shareName: Share of 'john.doe@gmail.com'
sharedFiles: [{"id":581,"itemId":"{8b3b575d-867c-11ea-a52f-0d8de03694f4}","name":"file-sample_1MB.docx","active":true,"ownerType":"AD","owner":"S-1-5-21-2014836877-3571182175-74761877-1104","originCircleItemId":"{acbc3dcf-0002-4207-8c96-e6b5197207cf}","created":1587768006,"modified":1587768006},{"id":582,"itemId":"{8b3b575e-867c-11ea-a52f-956ca0d48702}","name":"file-sample_10MB.docx","active":true,"ownerType":"AD","owner":"S-1-5-21-2014836877-3571182175-74761877-1104","originCircleItemId":"{00000000-0000-0000-0000-111111111111}","created":1587768006,"modified":1587768006}]
SecureSend file was accessed by recipient
Search by "GET_/access.html"
requestSignature: GET_/access.html
// who access file
actorType: RECIPIENT
actorEmail: john.doe.jr@gmail.com
actorItemId: d9ebf4ea-8587-11ea-a52f-9f982b49c794
// which files was accessed
accessedFiles: {d99c4e51-8587-11ea-a52f-dffb82dfc27e},{d99c4e52-8587-11ea-a52f-d73948ef72ce}
// share details
shareItemId: d9e9aaf9-8587-11ea-a52f-1d1d219628fe
shareName: Share of 'john.doe@gmail.com'
shareActive: true
// confirmation id that was used to access this files
confirmationItemId: f77b18a6858711eab8d905a44d961dda
// converted that was used to transform this file into pdf
converterUrl: <https://qa.securecircle.io/converter>
// is wopi editing was allowed
wopiEnabled: true
wopiUrl: <https://internal.wopi.securecircle.com>
Share recipient requesting second factor check (sending email to address for now) to access decryption portal
Search by "POST_/requestConfirmation"
requestSignature: POST_/requestConfirmation
// Endpoint information is sent to server
// confirmationItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// actorEmail: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com
// actorItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// shareItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
// shareName: Share of 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com
Render confirmation page to access decryption portal
Search by "GET_/confirmation.html"
requestSignature: GET_/confirmation.html
// Endpoint information is sent to server
// recipientEmails: ["jXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.com"]
// shareItemId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Share recipient compled Second Factor check (click the link in email)
Search by "GET_/confirmAccess"
requestSignature: GET_/confirmAccess
// Endpoint information is sent to server
Client & Server configuration synchronization events
The client will request updates from the server to get the last policy and permissions information.
Client requests timestamps for policies (e.g. firewall, derivative, cache TTL) as related to Circles
Search by "POST_/v3/circles/getLastModified"
requestSignature: POST_/v3/circles/getLastModified
// User and endpoint information is sent to server
Client will provide server a new process name and information which is unknown on the server
Search by "POST_/v3/processes/add"
requestSignature: POST_/v3/processes/add
// User, Circle and endpoint information is sent to server
// Client will send processInfo_O details for new process
"name":"outlook.exe"
"ver":"16.0.11929.20752"
"cert":
{"status":"Trusted"
"certHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"signHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"serial":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"desc":"Microsoft Outlook"
"prod":"Microsoft Outlook"
"inner":"Outlook"
"strong":"Outlook"
"original":"Outlook.exe"
"executable":"outlook.exe"
"publisher":"Microsoft Corporation"
"signers":["Microsoft Corporation"
"Microsoft Code Signing PCA 2010"
"Microsoft Root Certificate Authority 2010"}
Client requests Application (Process) list updates
Search by "POST_/v3/processes/getUpdate"
requestSignature: POST_/v3/processes/getUpdate
// User and endpoint information is sent to server
Client requests its status (ACTIVE/UNCONFIRMED/DISABLED) for all Circles
Search by "POST_/v3/endpoints/status"
requestSignature: POST_/v3/endpoints/status
// endpoint information is sent to server
Client requests updated Circle list
Search by "POST_/v3/circles/getUpdate"
requestSignature: POST_/v3/circles/getUpdate
// User and endpoint information is sent to server
Client requests list of files that were removed from Circles
Search by "POST_/v3/fileHashes/getUpdate"
requestSignature: POST_/v3/fileHashes/getUpdate
// User, Circle and endpoint information is sent to server
Client requests derivative configuration (threshold, file extensions, ...)
Search by "POST_/v3/derivativeConfig/get"
requestSignature: POST_/v3/derivativeConfig/get
// User, Circle and endpoint information is sent to server
Client requests updated firewall rules
Search by "POST_/v3/firewallRules/getUpdate"
requestSignature: POST_/v3/firewallRules/getUpdate
// User, Circle, and endpoint information is sent to server
// Client will send processInfo, processID, processName, and processOsType details
processInfo:
{"name":"python.exe"
"ver":"3.8.2150.1013"
"cert": {"status":"Trusted"
"certHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"signHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"serial":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"desc":"Python"
"prod":"Python"
"inner":"Python Console"
"strong":"Python Console"
"original":"python.exe"
"executable":"python.exe"
"publisher":"Python Software Foundation"
"signers":["Python Software Foundation"
"DigiCert SHA2 Assured ID Code Signing CA","DigiCert"]}
Client requests additional spare envelope.
Search by "POST_/v3/envelopes/get"
requestSignature: POST_/v3/envelopes/get
// User, Circle, and endpoint information is sent to server
Client provides details to server about 'previously removed file added to Circle' event. After this event is reported this file on other clients will be available for MagicDerivative
Search by "POST_/v3/fileHashes/remove"
requestSignature: POST_/v3/fileHashes/remove
// User, Circle, and endpoint information is sent to server
// fileHashValue: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Client provides server a new process name & info
Search by "POST_/v3/processes/addOne"
requestSignature: POST_/v3/processes/addOne
// User, Circle and endpoint information is sent to server
// Client will send processInfo_O details for new process
"name":"outlook.exe"
"ver":"16.0.11929.20752"
"cert":
{"status":"Trusted"
"certHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"signHash":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"serial":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"desc":"Microsoft Outlook"
"prod":"Microsoft Outlook"
"inner":"Outlook"
"strong":"Outlook"
"original":"Outlook.exe"
"executable":"outlook.exe"
"publisher":"Microsoft Corporation"
"signers":["Microsoft Corporation"
"Microsoft Code Signing PCA 2010"
"Microsoft Root Certificate Authority 2010"}
Client requests updated firewall rules
Search by "POST_/v3/firewallRulesConfiguration/getUpdate"
requestSignature: POST_/v3/firewallRulesConfiguration/getUpdate
// User, Circle, and endpoint information is sent to server
Client is registering the device
Search by "POST_/v3/endpoints/register"
requestSignature: POST_/v3/endpoints/register
// Endpoint information is sent to server
Client is asking for url to download additional installation packages. This is needed to reduce origin installer file size to avoid problems with MS Firewall, etc.
Search by "POST_/v3/install/getConfiguration"
requestSignature: POST_/v3/install/getConfiguration
// Endpoint information is sent to server
Example SecureSend Splunk Search & Reports
A simple SecureSend report that will show sender, recipient(s) and the file(s) sent.
requestSignature="POST_/v3/shares/email/create" | rename actor as Sender, participants as Recipients, sharedFiles as Files | table Sender, Recipients, Files
The table will display the Sender, Recipient(s), and File(s). The results can be further parsed as need.
A simple SecureSend report to show recipient(s) action.
requestSignature="GET_/access.html" | where isnull(error) | table actorEmail, shareItemId, shareName
This table will show action taken by the recipient (actorEmail), which shareID and shareName was accessed. The columns can be renamed using the previous example as a guide. A further drill down into the shareID can provide the sender, other recipients, and files.
