I am currently streaming logs onto a syslog server and would like to come up with a series of programmed alerts to identify potential security risks. But it's not always clear how to use the log fields to come up with these alerts. Has anyone done this exercise before and can provide some more info on which fields can be used in which ways to identify potential security risks?
*For example*, the authz-audit.csv log records information about the authorization of already authenticated users within the system. I could check the Decision field to see if someone was DENIED access to a certain uri (Action Target and Action Name fields), but (a) it's hard to understand some of the info within the fields and (b) it's unclear how to distinguish a legitimate denial from a potential security threat. Any ideas would be much appreciated.
FWIW, I'm currently grabbing the Streaming logs and have already looked through the Logging Documenation.
Discussion posts and replies are publicly visible
alexs8437 said:identify potential security risks
Yeah, this is difficult. I suggest to contact Appian to discuss this matter in detail.
do you have any specific contacts you'd suggest? I opened a support ticket, and they basically said they couldn't do anything beyond referring me to the public documentation. In fact, they suggested I check this forum and open a thread.
The problem here is like you wrote in your second paragraph:
"it's unclear how to distinguish a legitimate denial from a potential security threat"
You will have to first, specify what you are looking for, and then find data supporting it. And yes, log files are mostly not easy to understand, and you will have to spend some time on decoding the data, what it means, and for what purpose you can use it.
As I never tried something like this, I hope others have better ideas.