Blog

Monitoring Apprenda Security and Configuration Changes with SIEM Systems

Jonathan Choy

By Jonathan Choy1.3.18

The Apprenda Cloud Platform offers IT operators many choices in monitoring the security and configuration events that occur in the platform. We audit events from user interactions with subscribers, developer and operator actions, and other system events using a flexible event-handling extension model. Our auditing pipeline was enhanced with the ability to transform event details into messages and forward them to off-platform monitoring systems, enabling the integration with a wide variety of Security Incident and Event Monitoring (SIEM) solutions.

Today, we will talk about a transformation extension which supports the Syslog message protocol, including the Arcsight Common Event Format extension of RFC 5424. Integrating with Syslog capable systems offers IT operators the ability to correllate Apprenda events with other systems, including hardware and operating system monitoring, and pool all events together for advanced analytics and intelligence monitorings.

Publishing events using the Syslog standard (both RFC levels of Syslog are supported) or the Arcsight Common Event Format (CEF) message format allows a variety of systems, including Micro Focus (formerly HPE) ArcSight and RSA NetWitness as well as many standard log aggregation systems such as Splunk or Elastic Search to receive the event streams emitted by the Apprenda Cloud Platform.

Types of Monitoring Events

Some of the more important Apprenda event categories which are supported in this extension include the following:

  1. Custom Property Model configuration
  2. Deployment Policy configuration
  3. Operator Add-On configuration
  4. External User Store plugin configuration
  5. Kubernetes cluster configuration
  6. Database partition configuration
  7. External Authentication configuration
  8. Cluster Node configuration
  9. Tenant configuration
  10. Bootstrap Policy configuration
  11. Operator Role configuration
  12. Operator Workload Management actions
  13. Workload execution configuration
  14. Log configuration and retention actions
  15. Authentication failures
  16. Password actions
  17. Application Authorization failures
  18. User group role and tenant membership configuration

You can get started on using this integration by getting the latest source code or release package from GitHub. The Platform Operator’s installation and configuration walkthrough for this integration is available from the project’s documentation page. You are encouraged to submit pull requests and enhance or customize the extension to add specific information relevant to your SIEM taxonomy needs. 

Some samples of Apprenda auditing events and their corresponding Arcsight Logger data points:

Jonathan Choy
Jonathan Choy

Jonathan Choy is an Integrations Engineer at Apprenda.

0
View Comments

Leave a Reply

Your email address will not be published. Required fields are marked *