Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IBM Security Trusteer

 

The JSA DSM for IBM Security Trusteer collects event from your IBM Security Trusteer device.

To integrate IBM Security Trusteer with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent versions of the following RPMs on your JSA Console:

    • Protocol Common RPM

    • IBM Security Trusteer DSM RPM

    • HTTP Receiver Protocol RPM

  2. Contact your IBM Security Trusteer deployment manager to configure IBM Security Trusteer to forward events toJSA.

  3. If JSA does not automatically detect the log source, add a log source on the JSA Console.

IBM Security Trusteer DSM Specifications

When you configure the IBM Security Trusteer DSM, understanding the specifications for the IBM Security Trusteer DSM can help ensure a successful integration. For example, knowing what the supported version of IBM Security Trusteer is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the IBM Security Trusteer DSM:

Table 1: IBM Security Trusteer DSM Specifications

Specification

Value

Manufacturer

IBM

DSM

IBM Security Trusteer

RPM file name

DSM-IBMSecurityTrusteer-JSA_version_build_number .noarch.rpm

Supported version

N/A

Protocol

HTTP Receiver

Event format

JSON

Recorded event types

Trusteer alerts

Automatically discovered

Yes

Includes identity

No

Includes custom properties?

No

For more information

IBM website

HTTP Receiver Log Source Parameters for IBM Security Trusteer

If JSA does not automatically detect the log source, add a IBM Security Trusteer log source on the JSA Console by using the HTTP Receiver protocol.

When using the HTTP Receiver protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect HTTP Receiver events from IBM Security Trusteer:

Table 2: HTTP Receiver log source parameters for the IBM Security Trusteer DSM

Parameter

Value

Log Source type

IBM Security Trusteer

Protocol Configuration

HTTP Receiver

Log Source Identifier

The IP address, hostname, or any name to identify the device.

The name must be unique for the log source type.

Listen Port

The port that is used by JSA to accept incoming HTTP Receiver events. The port must match the port that is configured on your IBM Security Trusteer device. The default port is 12469.

Note: Do not use port 514. Port 514 is used by the standard Syslog listener.

Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

IBM Security Trusteer sample messages when you use the HTTP Receiver protocol

Sample 1

The following sample event message shows that the same device made multiple suspicious access attempts. It also shows that the event was generated from the user IP address 10.10.0.2.

{"feed_name":"account_takeover","version":"9"," datetime ":"2020-06-10 07:32:29","event_id":"e783d0dc7ae"," last_user_ip ":"10.0.0.2","last_user_ipv6":null,"app_name" :"trusteerqa_business","detected_at":"http:// host.domain2.test","activity":"policy58","translated_recommendation" :null," recommendation_reason_text ":"Suspicious multiple accesses pattern from the same device" ," recommendation_reason_id ":58,"risk_score":950,"resolution_id":"qnuwkfqcdajojinseudfxbhftlimp tpu","policy_manager_recommendation":null,"policy_manager_reason":null,"policy_manager_reason_id" :null,"policy_mana ger_risk_score":null,"persistent_device_id":"N/ A","new_device_indication_zero_one":0,"country":null,"region":null, "city":null,"isp":null,"organization":null,"useragent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML , like Gecko) HeadlessChrome/72.0.3626.121 Safari/ 537.36","referrer":"","x_forwarded_for":"10.0.0.2","screen_reso lution":null,"screen_dpi":24,"screen_touch":0,"client_time_zone":0,"rapport_machine_id":"", "client_language":"en- US","platform":"Linux x86_64","cpu":"Linux x86_64","os":"Linux","accept_encoding":"gzip, deflate","mimes":0,"navi gator_props":4231119849,"browser_version":"72.0.3626","client_charset":"UTF-8","browser":"Chrome" ,"accept_charset ":"","accept_language":"","network_data":"10.0.0.2","plugins":0,"malware_logical_name":"", "infection_severity":"high","malware_signature":null,"formatted_is_targeted":"Maybe","encr ypted_user_id":"","encryption_key_id":"trusteerqa.1.20110112-102448","app_id":"multi_login_tma", "customer_session_id":"2s3as2jek91t98mb3mggkrt881","persistent_user_id":"aaaabbbbcccc0006"}

Table 3: Highlighted Fields

JSA field name

Highlighted payload field name

Event ID

recommendation_reason_id

Event Name

recommendation_reason_text

Source IP

last_user_ip

Device Time

datetime

Sample 2 (with IPv6):

The following sample event message shows that unusual activity from a suspicious device that uses the Tor browser was detected. It also shows that the event was generated from the user IP address 10.10.0.2.

{"feed_name":"account_takeover","version":"9"," datetime ":"2018-08-07 12:11:31","event_id" :"ecdc7245542"," last_user_ip ":null," last_user_ipv6 ":"2001:DB8:AAAA:BBBB:CCCC:DDDD:EEEE:FFFF", "app_name":"tma2","detected_at":"https:// host.domain.test","activity":"login","translated_recommendation":"Alert", " recommendation_reason_text ":"Unusual activity from a suspicious device using the Tor browser", " recommendation_reason_id ":71,"risk_score":114,"resolution_id":"zguiblxuursugnjtulwawxhcmwixsfbs ", "policy_manager_recommendation":null,"policy_manager_reason":null, "policy_manager_reason_id":null,"policy_manager_risk _score":null,"persistent_device_id":"N/ A","new_device_indication_zero_one":0,"country":"US","region":"99","city":null, "isp":"This is some ISP text","organization":"Test Organization","useragent":"Mozilla/5.0 (Windows NT 6.1; Trident/7.0 ; rv:11.0) like Gecko","referrer":"/test/test/ TAF","x_forwarded_for":"10.10.0.2","screen_resolution":null,"screen_dpi" :8,"screen_touch":5,"client_time_zone":0,"rapport_machine_id":"-","client_language":"tr- TR","platform":"Linux x86_64" ,"cpu":"Linux x86_64","os":"Windows 7","accept_encoding":"gzip, deflate, br","mimes":0, "navigator_props":4168486725,"browser_version":"11.0","client_charset":"UTF-8","browser": "IE","accept_charset":"","accept_language" :"tr-TR,tr;q=0.8,en- US;q=0.5,en;q=0.3","network_data":"10.10.0.2","plugins":3,"malware_logical_name":"","infection _severity":"high" ,"malware_signature":null,"formatted_is_targeted":"Maybe","encrypted_user_id":"14D007Bc5cABF5d B23a24CB6CEF7a903f677a43Fbf27EaC34d0b E3242477337f8CF38A65c357b34480AFaBaaC8aBc60d6F8c3B05fdcbB1eDBaaF5fCd5eb8b704Eeac1F05a0a9067cEb 9bc0AedA7aa9aF0016D1cA6C2AD3cEF6D22fb 6B9E976ffbCcD60652Ca4Fc2EA0A8559AD4bc0c4FfE7c3537Bc3fdacaC9a322c4fC96d5cb05320E7FBAeac5E2a89aD 5DAbcBF4575e205bc5a0DF35e06c2026C3df1 D8728bAf1aD3120DC0","encryption_key_id":"","app_id":"tma2","customer_session_id":"ADf9FbFe9C0 1FDc5251FdFeEDCe16Cfa","persistent_use r_id":"aaaabbbbcccc0002"}

Table 4: Highlighted Fields

JSA field name

Highlighted payload field name

Event ID

recommendation_reason_id

Event Name

recommendation_reason_text

Source IP

last_user_ip

Device Time

datetime