Onboarding PAM Tool Senhasegura to Wazuh

On April 13, 2022


What is PAM?

Privileged Access Management (PAM) solutions (password safes) are used in conjunction with identity and access management (IAM) software, which allows authentication of general user identities, allowing organizations to store their privileged credentials in a centralized, secure vault. Furthermore, these methods limit who has access to, and hence who can use, privileged credentials based on access policies (such as user rights and durations), and they frequently monitor or track user activities while using the credentials. When a user checks out a credential, it prevents other users from initiating a concurrent session, ensuring that only one person has access to the privileged account at any given moment.

Senhsegura SaaS is the first Brazilian PAM solution to include a cloud-native password vault for managing, rotating, auditing, and monitoring privileged accounts. Senhasegura is simple to set up and operate, and it automatically rotates credentials that administrators use to access vital systems around the enterprise, ensuring that incorrect access does not have a harmful impact on your organization.

With Wazuh, we can keep track of Senhasegura’s logs in one single place, with a variety of visualizations and dashboards to make effective monitoring and easier correlation. We can analyze the logs with the help of our custom rules and catch any anomalies happening and take quick action on it. We’ll need custom rules and decoders to fetch the logs and create alerts on Wazuh of any anomalies so that alerts can be sent out.

Wazuh Configuration for Senhasegura

The Senhasegura’s Log will be fetched via the Syslog facility. The IP Address of Senhasegura should be mentioned in the Wazuh configuration so that Wazuh can fetch the logs via Syslog facility.

Open the Wazuh Agent’s configuration:

vi /var/ossec/etc/ossec.conf 

Add the following block:

<ossec_config> 
  <remote>
    <connection>syslog</connection> 
    <port>9514</port> 
    <protocol>tcp</protocol> 
    <allowed-ips>10.0.55.125</allowed-ips> 
  </remote> 
</ossec_config> 

After the changes done in the configuration, the wazuh-agent’s service needs to be restarted. For Systemd:

systemctl restart wazuh-agent 

For SysV Init:

service wazuh-agent restart 

Adding Decoders and Rules in Wazuh

We’ll utilize the below decoders and rules in the local decoder.xml and local rules.xml files to let Wazuh understand Senhasegura’s logs and trigger alerts for any anomalies. Use the WUI or add the following decoders to the /var/ossec/etc/decoders/local_decoders.xml file.


<decoder name="senhasegura-decoder"> 
  <program_name>CEF</program_name> 
</decoder> 
 
<decoder name="senhasegura"> 
   <prematch>^INFOPERCEPT\s</prematch> 
</decoder> 
    <decoder name="senhasegura-decoder"> 
       <parent>senhasegura</parent> 
       <prematch offset="after_parent">CEF:0\|MT4\|senhasegura</prematch> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder</parent> 
       <regex>\|senhasegura\|(\.+)\sdvc=</regex> 
       <order>senhaseguraCEF</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder</parent> 
       <regex>dvc=(\.+)\sspid=</regex> 
       <order>dvc</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder</parent> 
       <regex>spid=(\.+)\ssrc=</regex> 
    <order>spid</order> 

    </decoder> 
     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>src=(\.+)\s</regex> 
        <order>src</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>suid=(\.+)\s</regex> 
        <order>suid</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>sname=(\.+)\s</regex> 
        <order>sname</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>suser=(\.+)\s</regex> 
        <order>suser</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>spriv=(\.+)\s</regex> 
        <order>spriv</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>msg=(\.+)\srequestMethod=</regex> 
        <order>msg</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>requestMethod=(\.+)\sact=</regex> 
        <order>requestMethod</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>act=(\.+)\sdst=</regex> 
        <order>act</order> 
     </decoder> 
 
     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>act=(\.+)\scs1Label=</regex> 
        <order>act</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>cs1Label=(\.+)\scs1=</regex> 
        <order>cs1Label</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>cs1=(\.+)</regex> 
        <order>cs1</order> 
     </decoder> 

     <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>dst=(\.+)\sdpt</regex> 
        <order>dst</order> 
     </decoder> 

    <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>dpt=(\.+)\sproto</regex> 
        <order>dpt</order> 
     </decoder>

    <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>proto=(\.+)\sduser</regex> 
        <order>proto</order> 
     </decoder> 

    <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>duser=(\.+)\ssourceServiceName=</regex> 
        <order>duser</order> 
     </decoder> 

    <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>ssourceServiceName=(\.+)\scs1Label=</regex> 
        <order>cs1Label</order> 
     </decoder> 

    <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>cs1=(\.+)\sdhost=</regex> 
        <order>cs1</order>
     </decoder> 

    <decoder name="senhasegura_child"> 
        <parent>senhasegura-decoder</parent> 
        <regex>dhost=(\.+)</regex> 
        <order>dhost</order>
     </decoder> 

    <decoder name="senhasegura-decoder1"> 
       <prematch>CEF:0\|MT4\|senhasegura</prematch> 
    </decoder>

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>\|senhasegura\|(\.*)\sdvc=</regex> 
       <order>senhaseguraCEF</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>dvc=(\.+)\s</regex> 
       <order>dvc</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>spid=(\.+)\s</regex> 
       <order>spid</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>src=(\w+)</regex> 
       <order>src</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>suid=(\.+)\s</regex> 
       <order>suid</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>sname=(\w+)</regex> 
       <order>sname</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>suser=(\w+)</regex> 
       <order>suser</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>spriv=(\.+)\s</regex> 
       <order>spriv</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>msg=(\.+)\sact=</regex> 
       <order>msg</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>act=(\w+)\sdproc=</regex> 
       <order>act</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>dproc=(\.+)\s</regex> 
       <order>dproc</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>cs1Label=(\.+)\s</regex> 
       <order>cs1Label</order> 
    </decoder> 

    <decoder name="senhasegura_child"> 
       <parent>senhasegura-decoder1</parent> 
       <regex>cs1=(\.+)\s|cs1=(\.+)$</regex> 
       <order>cs1</order> 
    </decoder> 

And add the following rule in the /var/ossec/etc/rules/local_rules.xml file or use the WUI

<group name="senhasugara,"> 
  <!-- senhasegura rules --> 
  <rule id="100002" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Authentication successfully</field> 
    <description> Senhasugara $(suser) Authenticated successfully with this source ip $(src)</description> 
    <options>no_full_log</options> 
  </rule> 
     
  <rule id="100003" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">User logout</field> 
    <description> Senhasugara  $(suser) User is logout with this source ip $(src)</description> 
    <options>no_full_log</options> 
  </rule> 
 
  <rule id="100004" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Session started</field> 
    <description> Senhasugara  $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
 
  <rule id="100005" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Token exclusion</field> 
    <description> Senhasugara  $(suser) $(act)</description> 
    <options>no_full_log</options> 
  </rule> 
 
  <rule id="100006" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Token registration</field> 
    <description> Senhasugara  $(suser) $(act)</description> 
    <options>no_full_log</options> 
  </rule> 
 
  <rule id="100007" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">User authentication token validation</field> 
    <description> Senhasugara  $(suser) $(act)</description> 
    <options>no_full_log</options> 
  </rule> 
 
  <rule id="100008" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Password Viewed</field> 
    <description>$(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="100009" level="5"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Client is not responding.</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="100010" level="5"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Session terminated</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="110011" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Authentication error</field> 
    <description>Senhasegura Authentication error: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="110012" level="9"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Credential change</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="110013" level="9"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Password changed</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111014" level="5"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">New credential</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111015" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Device disabling</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111016" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Device changing</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111017" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Device creation</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111018" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Connection to guacd is closed.</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111019" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Connection to guacd timed out.</field> 
    <description>Senhasegura: $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111020" level="3"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Session expired</field> 
    <description>Senhasegura Session Expired for $(suser) user</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111021" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Parameter change</field> 
    <description>Senhasegura $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111022" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Update Domum parameters</field> 
    <description>Senhasegura $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111023" level="5"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Copy of equipment</field> 
    <description>Senhasegura $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111024" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Bloqueio_Remove</field> 
    <description>Senhasegura Configuration request created</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111025" level="5"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Error handling server messages</field> 
    <description>Senhasegura $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
   
  <rule id="111026" level="7"> 
    <decoded_as>senhasegura-decoder</decoded_as> 
    <field name="act">Access group change</field> 
    <description>Senhasegura $(msg)</description> 
    <options>no_full_log</options> 
  </rule> 
     
</group> 

After the changes done in the configuration, the wazuh-manager’s service needs to be restarted.

For Systemd: systemctl restart wazuh-manager

For SysV Init: service wazuh-manager restart

You can test the RAW logs to confirm if the decoders and rules are properly working or not in the Wazuh Logtest. /var/ossec/bin/wazuh-logtest

Once the configuration is done the logs will be collected by Wazuh and the alerts will be shown. Login to your Invinsense Portal and open Wazuh

Check for the events:

You can create custom Dashboards according to your needs.

Conclusion

We’ve integrated Senhasegura events with Wazuh in this article. We can use Wazuh to analyze Senhasegura events to keep track of access events in your environment and detect any suspicious behavior. We can simply monitor the complicated incoming data using numerous visualizations and dashboards.


Related Blogs