Syslog¶

Introduction¶

The DB CyberTech platform uses syslog to provide event reporting that can be directed to a central Security Information and Event Management (SIEM) system as well as reporting general system health information. Syslog output is encoded in the Common Event Format (CEF), which allows easy integration into a number of common security information and event management (SIEM) and log-analysis tools. DB CyberTech can provide sample integration with popular tools.

This manual describes the DBC platform syslog messages.

Organization of the Manual¶

This manual contains the following chapters:

Message Overview

This chapter describes the format of the DBC platform syslog messages, along with the signature ID and name values

Platform Syslog Messages

This chapter describes the DBC platform syslog messages and provides message examples.

Changes in This Revision¶

Updated example messages

Message Overview¶

This chapter describes the format of the messages that the DBC platform generates to syslog. It also describes the signature ID and name values.

Syslog Message Format¶

Syslog messages forwarded from the DBC platform are formatted to meet the CEF specification.

Syslog Message Format

CEF Header Field	Platform Data
Version	0
Device Vendor	DB Networks
Device Product	DBN
Device Version	Current system version
Signature ID	Numeric ID, see below for detailed information
Name	String name associated with Signature ID
Severity	Value from 0 to 7, system specified
cs1Label	System identifier
cs1	System serial number (found in admin > About in the web management interface)
system_identifier	System serial number (found in admin > About in the web management interface)
rt	Current timestamp in milliseconds since epoch.
Event specific data	Varies by event

Signature ID and Name Values¶

Syslog Message Signatures

Signature ID	Name	Description
0	`distinct_event`	New system events
1	`repeat_event`	A count, with detail, of repeated events
3	`engine_start`	A system has powered up or restarted
4	`archive`	Indicates status of overnight system archive tool
6	`mds_new_user`	A new user identified by the system
7	`mds_new_service`	A new service identified by the system
8	`mds_new_host`	A new host identified by the system
9	`mds_new_listener`	A new listener identified by the system
10	`tally_new_ipseity`	A new context is identified by the system
11	`cnt`	External counter dump
12	`sys`	Health data
13	`slowsys`	Health data
14	`dbfwsys`	Health data
15	`internal`	Internal debug use
16	`cnta`	Full counter dump (much lower frequency)
17	`dbhealth`	Database health status in CSV format
18	`it_clustered_flow`	Issued when the autopilot adds a data flow to the incident domain to be clustered with other behavioral incident data flows
19	`upgrade`	System upgrade logs
20	`audit`	System audit logs
21	`dbdu`	Postgres table disk usage
22	`it_new_cluster`	Issued each time the system creates a new incident
23	`it_obsolete_cluster`	Issued when regrouping occurs, or the user introduces either learning or policy constraints into the system, incident clusters of data flows can become obsolete
24	`it_cluster_activity`	Issued when data flows that had been clustered into an incident now exhibit activity (that is, executing SQL statements)
25	`it_auto_learned`	Issued when a data flow is learned by the autopilot, using the same fields as the ITClusteredFlow event except clusterId
26	`it_policy_activity`	Issued when data flows matching a committed policy constraint with a syslog category action exhibit activity (that is, they execute SQL statements)
27	`it_new_context`	Issued when a new context or session is observed
28	`it_new_access`	Issued when a given user role database object access or changes another database object
29	`it_new_flow`	Issued when a new data flow is observed

Platform Syslog Messages¶

This chapter describes the DBC platform syslog messages.

Engine Restart Message¶

The restart message reports the startup of the platform. This message indicates that the Platform has completed its power up sequence after an initial power-up, restart/reset, or fatal error. If this message is detected and no intentional restart was initiated, contact customer service to investigate the cause.

A typical engine restart message resembles the following:

<133>2018-06-11T12:39:03.984166-05:00 dbfw dbn: CEF:0|DB Networks|DBN|5.3.7|3|engine_start|5|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423

The message is identified by Signature ID=3 and name=engine_start.

Event Report Messages¶

Event report messages are generated as soon as an event is detected.

There are two types of event report messages:

distinct_event messages pertain to new unique SQL statements that are detected as possible threats. Distinct events have a Signature ID=0 and name=distinct_event.
repeat_event messages represent repeated executions of previously detected SQL statements. Repeat events have a Signature ID=1 and name=repeat_event.

Both messages contain the same information but are distinguished by the labels above appearing in the Name field of the CEF prefix.

A typical distinct_event resembles the following. A repeat_event has the same structure, but the cnt field is greater than 1.

<132>2018-06-11T16:28:53.769474-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|0|distinct_event|10|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 externalId=23179 cnt=1 rt=1528752533769
start=1449230398145 destinationServiceName=accounts cn1Label=statement identifier cn1=22932 statement_identifier=22932
cat=structural dst=10.4.40.7 dpt=1433 src=10.15.32.25 spt=37224 cs2Label=score cs2=1.000 score=1.000 cs3Label=confidence
cs3=certain confidence=certain act=exec_dispatch target_sql_id=320

The first part of the message contains the elements of the standard CEF format.

Event Report Message Field Descriptions

Field	Description
`externalId`	Unique event id used to look the event up in the DBN event log.
`cnt`	Number of occurrence of events with this statement identifier. There will always be one for distinct events.
`rt`	Transmit time of the event.
`start`	Epoch time, in milliseconds, of the event.
`destinationServiceName`	Name of the database associated with the attack.
`cn1Label`	Statement identifier.
`cn1`	Unique statement Identifier, also known as the sqlId, used to look up the event in the DBN event log.
`cat`	Type of event (structural or parametric).
`dst`	Destination IP address of the database involved in the event.
`dpt`	Destination port of the database involved in the event.
`src`	Source IP address of the client involved in the event.
`spt`	Source TCP port of the client involved in the event.
`cs2Label`	Score.
`cs2`	Numerical confidence score (0.0 – 1.0)
`cs3Label`	Confidence.
`cs3`	String confidence (certain, overwhelming, likely, suspicious, possible).
`act`	Type of action involved in the event (maps to protocol RPC).
`target_sql_id`	Integer value represented on the system by the target SQL ID.

System Health Messages¶

Health syslog messages are sent every 10 minutes (at minute mod 10 boundaries). These messages are distinguished from event messages by the keywords cnt, sys, slowsys, and dbfwsys in the CEF Name field.

These messages contain a large amount of information helpful to DB CyberTech’s Technical Support personnel.

<133>2018-06-11T03:44:44.797928-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|11|cnt|0|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528706684797 xtime_T01=05/31/18 13:41:03
xtime_T02=06/11/18 03:44:44 xtime_T03=1 xtime_T04=10d 14:03:41 xtime_T05=06/01/18 15:48:54 xcap_X13=49460224 xcap_X01=49460224
xcap_X33=49460224 xcap_X03=6 xcap_X26=19 xcap_X27=61040 xcap_X28=61039 xcap_X04=1.00 xcap_X15=6 xcap_X11=1895 xcap_X21=0.01
xpro_X08=1 xpro_X17=1 xpro_X23=0.00 xpro_X24=0.00 xpro_X05=0.00 xpro_X09=0.00 xpro_X18=38287169 xpro_X19=1.00 xpro_X20=0.01
xpro_X35=406348 xpro_X36=8 xpro_X37=61019 xpro_X38=221101 xpro_X39=7046 xeng_X29=92 xeng_X30=19025081 xeng_X31=92 ts=1528706684796

As with event messages, the first part of the message contains the elements defined in the CEF format. Though most of the information in the various health log messages is useful only to DB CyberTech’s support personnel, there are a few fields you might want to track to ensure your system is running properly.

Event Message Fields That Users Should Track

Field	Description
`xcap_X13`	Total number of packets received on the capture port. If this number is not increasing as expected for a given installation, the capture port might not be capturing traffic
`xcap_X15`	Total number of packets dropped by the engine. If this number increase rapidly, it might indicate that the span/tap port is configured to send a lot of non-sql traffic. This affects system performance and should be corrected either by changing the span/tap port configuration or adjusting the network filters on the DBC platform to filter out unwanted traffic before it reaches the engine.

The following messages are also sent every 10 minutes. These messages can be useful to DB CyberTech Technical Support and development personnel if an issue arises.

Typical sys (System) Message:

<133>2018-06-11T03:49:47.332626-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|12|sys|0|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528706987332
os_uptime=914936 os_loadavg_0=0 os_loadavg_1=0 os_loadavg_2=0 os_freemem=833536000 os_totalmem=8367423488
sys_user=1531705 sys_nice=9690 sys_system=744604 sys_idle=179829889 sys_iowait=30758 sys_irq=276608 sys_softirq=265033
sys_steal=0 sys_guest=0 sys_guest_nice=0 vm_pgpgin=931157 vm_pgpgout=105314097 vm_pswpin=0 vm_pswpout=0 vm_pgfault=542285262
meminfo_MemTotal=8171312 meminfo_MemFree=814000 meminfo_MemAvailable=3852672 meminfo_Buffers=355684 meminfo_Cached=2882872
meminfo_SwapCached=0 meminfo_Active=3055660 meminfo_Inactive=1970804 meminfo_Active(anon)=1816472 meminfo_Inactive(anon)=28444
meminfo_Active(file)=1239188 meminfo_Inactive(file)=1942360 meminfo_Unevictable=0 meminfo_Mlocked=0 meminfo_SwapTotal=976892
meminfo_SwapFree=976892 meminfo_Dirty=496 meminfo_Writeback=0 meminfo_AnonPages=1787968 meminfo_Mapped=2487416 meminfo_Shmem=71208
meminfo_Slab=179368 meminfo_SReclaimable=157068 meminfo_SUnreclaim=22300 meminfo_KernelStack=4256 meminfo_PageTables=31900
meminfo_NFS_Unstable=0 meminfo_Bounce=0 meminfo_WritebackTmp=0 meminfo_CommitLimit=5062548 meminfo_Committed_AS=4248612
meminfo_VmallocTotal=34359738367 meminfo_VmallocUsed=0 meminfo_VmallocChunk=0 meminfo_HardwareCorrupted=0 meminfo_AnonHugePages=0
meminfo_ShmemHugePages=0 meminfo_ShmemPmdMapped=0 meminfo_CmaTotal=0 meminfo_CmaFree=0 meminfo_HugePages_Total=0
meminfo_HugePages_Free=0 meminfo_HugePages_Rsvd=0 meminfo_HugePages_Surp=0 meminfo_Hugepagesize=2048 meminfo_DirectMap4k=157632
meminfo_DirectMap2M=8230912 memsum_usedGb=4 memsum_freeGb=4 disk_sda_readOps=37129 disk_sda_readSectors=1860258
disk_sda_writeOps=11382659 disk_sda_writeSectors=210640331

Typcial slowsys Message:

<133>2018-06-11T03:49:51.565949-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|13|slowsys|0|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528706991565
disk_root_total=47103168 disk_root_avail=36005372 disk_maint_total=2818080 disk_maint_avail=907268
disk_boot_total=194235 disk_boot_avail=79685 disk_sysdata_total=185301 disk_sysdata_avail=162649 vers=0
it_sysdecCommitted=0 it_sysdecProposed=0

Typical dbfwsys Message:

<133>2018-06-11T03:49:49.338516-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|14|dbfwsys|0|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528706989337
dbfw_pid=1884 dbfw_state=0 dbfw_userCpu=49031 dbfw_sysCpu=20857 dbfw_numThread=19 dbfw_VmSize=2761003008 dbfw_VmRSS=303161344

New Discovery Messages¶

New discovery syslog messages are sent when the DBC platform identifies a new user, service, host, listener, or context linking client and server in dimensions (ipseity).

These messages inform you when a new connection, user, service, host, listener, or context. has been added to the monitored network. The table below lists the critical information associated with the new discovery syslog messages.

New Discovery Syslog Messages

Signature ID	Name	Description
6	mds_new_user	user_name =<string = non-empty user name> default_schema =<string = default schema for new user>
7	mds_new_service	service_name = <string = service_name> service_name_type =<string =service type (service\|SID\|global name)> dialect =<string = database dialect (Oracle\|MS Sql)>
8	mds_new_host	realm =<string = realm name> addr =<string =IPV4 address>
9	mds_new_listener	realm = <string = realm name> addr = <string = IPV4 address> port = <integer = TCP/IP port>
10	tally_new_ipseity	tally_board = <string = identifier for tally board, currently main> [user_name = <string = non-empty user name>] [service_name = <string = non-empty service name] client_realm = <string = client realm name> client_addr = <string = IPV4 addr of client> server_realm = <string = server listener realm name> server_addr = <string = IPV4 addr of server listener> server_port = <int = TCP/IP port of server listener> client_ipseities = <int = pre-existing ipseities with matching client host -- zero implies this is the first> server_ipseities = <int = pre-existing ipseities with matching server host>. [server_service_ipseities = <int = pre-existing ipseities with matching server host and service>] [server_service_user_ipseities = <int = pre-existing ipseities with matching server host, service, and user>]

Sample new user message:

<133>2018-06-11T13:50:00.449964-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|6|mds_new_user|5|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528743000448
user_name=sa default_schema=sa

Sample new service message:

<133>2018-06-11T13:50:00.441856-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|7|mds_new_service|5|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528743000432
service_name=accounts service_name_type=service dialect=Sql-Server

Sample new host message:

<133>2018-06-11T13:50:00.446950-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|8|mds_new_host|5|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528743000444
realm=default addr=10.15.33.3

Sample new listener message:

<133>2018-06-11T13:50:00.453014-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|9|mds_new_listener|5|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528743000433
realm=default addr=10.3.30.14 port=14338

Sample new ipseity message:

<133>2018-06-11T13:50:00.773763-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|10|tally_new_ipseity|5|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528743000741
tally_board=main user_name=sa service_name=accounts client_realm=default client_addr=10.15.33.3 server_realm=default
server_addr=10.4.40.7 server_port=1433 client_ipseities=1 server_ipseities=1 server_service_ipseities=1 server_service_user_ipseities=1

Audit Messages¶

Audit messages are an optional syslog output configured on the DBC platform under Settings > Advanced > Audit Log. The purpose of these messages is to provide a record of selected transactions on the DBN unit. The details of these messages are described below.

Sample audit message:

<133>2018-06-11T16: 53:05 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|20|audit|0|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 rt=1528753985039
category=secOps auditCode=1009 auditMessage="User login succeeded" userId=admin sessionId=2CTvwhj_iAmVoV7zB8pVCiLSeALej0te
src=10.40.7.216 target="User:admin" cookies="[{"name":"dbnetworks","cookieDurationSec":3600}]"

Audit syslog messages will have a category auditCode, auditMessage, userId, sessionId, and target when applicable.

Insider Threat Event Messages¶

The DBC platform sends insider threat syslog messages when the appliance sees statement executions that meet the criteria of an insider threat rule that has been configured to monitor and syslog. The purpose of these messages is alert customers to policy and behavioral violations in a monitored network. Insider threat rules are defined in terms of sets or patterns describing data flows.

A data flow is the unique combination of a database object, such as a partially or fully qualified table name (for example, master.sys.databases specifies database, schema, and relation, but not server) mentioned in a specific network context (i.e., client IP, server IP, server Port, database service, and database user). When a statement is executed, the DBC platform analyzes the SQL text semantically, looks up the corresponding data flow (or flows if there are more than one qualified name in the statement), and checks whether that flow meets the criteria of an insider threat rule. If the rule’s action is configured to write to syslog when it fires, the details of the data flow and unique identifiers for several aspects of the flow and rule are conveyed in messages described below.

The insider threat event module is made up of the following five types of events.

IT Clustered Flow¶

This event is emitted when DB CyberTech behavioral modeling determines a new data flow is unexpected and predictive of potential data loss. Data flows are clustered together for easier user analysis, hence the name. Recall, each data flow is composed of a specific session (network context) and database object. The database object is typically one of relation, meta-relation, column, or alias, but can be other types of database objects as well. Relation and meta-relations are reported with an id, up to three name qualifiers (server, database, and schema) if applicable, a relation name, and mode of access (read or write for relations, create, drop, alter, or truncate for meta-relations). User role database objects are reported with an id, name, type (user or role), mode (create, drop, alter, grant, or revoke), when applicable a session database user ID and name, and when applicable, an optionally qualified relation. Columns, aliases, and comments are reported with an id and their respective string representation. In addition to the defining features of the data flow in question, if the database object involved matches DB CyberTech's data classification, several fields related to classification are also reported. Finally, ITClusteredFlow events are characterized by the score information used by the autopilot to determine the data flow should be clustered.

Sample IT Clustered Flow message:

<132>2018-06-11T13:50:00.773763-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|18|it_clustered_flow|7|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 it_event_id=1056 cluster_id=74
flow_id=1804 context_id=1800 user_id=300 user_name=BOB client_id=572 client_realm=default client_ip=10.1.41.11
service_id=1030 dialect=Oracle service_name=USCYBERCOM.OPSEC service_type=service listener_id=1028 listener_realm=default
listener_ip=11.1.3.32 port=1521 context_earliest=1506003300000 access_id=317 relation_id=317 relation=personcreditcard
mode=read access_earliest=1494273900000 flow_earliest=1506003300000 accessScore=0.999996204175 contextScore=0
combinedScore=0.999996204175 importance=1 risk=0.999996204175

Details of the field types:

Field	Type	Description
`it_event_id`	int	Event ID for new clustered data flow
`cluster_id`	int	Incident internal identifier for linking to DBN web interface
`flow_id`	int	Data flow internal identifier for linking to DBN web interface
`context_id`	int	Session internal identifier for linking to DBN web interface
`user_id`	int	Session database user name internal identifier
`username`	string	Session database user name (e.g., “BOB”)
`client_id`	int	Session client internal identifier
`client-realm`	string	Session client realm, typically “default” unless using VLANs in DBN configuration
`client_ip`	string	Session client IP address (e.g., “10.1.41.2”)
`service_id`	int	Session database service internal identifier
`dialect`	string	Session dialect description (e.g., “Oracle”)
`service_name`	string	Session database service name (e.g., “CRM.EU”)
`service_type`	string	Session database service type (“sid”, “global name”, or “service”)
`listener_id`	int	Session database listener internal identifier
`listener_realm`	string	Session database listener realm, typically “default” unless using VLANs in DBN configuration
`listener_ip`	string	Session database listener IP (e.g., “10.1.40.32”)
`port`	type	Session database listener port
`context_earliest`	int	Epoch milliseconds of earliest observed time for the data flow’s session
`access_id`	int	Database object internal identifier
`access_type`	string	Database object type, one of: relation, meta-relation, user-role, column, alias, comment, grant
`column_id`	int	Database object column identifier
`column_identifier`	string	Database object column name
`comment_id`	int	Database object comment identifier
`comment_value`	string	Database object comment text
`alias_id`	int	Database object alias identifier
`alias_identifier`	string	Database object alias name
`grant_id`	int	Database object grant identifier
`grantee`	string	Database object grantee name
`action`	string	Database object grant action, one of: grant or revoke
`relation_id`	int	Database object relation internal identifier
`meta_relation_id`	int	Database object meta-relation internal identifier
`server`	string	Database object relation server qualifier
`database`	string	Database object relation database qualifier
`schema`	string	Database object relation schema qualifier
`relation`	string	Database object relation name
`mode`	string	Database object mode of use (e.g., “read” or “alter”)
`user_role_id`	int	Database object user role internal identifier
`user_role_name`	string	Database object user or role name
`type`	string	Database object user role type, either “user” or “role”
`access_earliest`	int	Epoch milliseconds of earliest observed time for the data flow’s database object
`flow_earliest`	int	Epoch milliseconds of earliest observed time for the data flow
`classifier_id`	int	Database internal identifier for classification specification
`classifier_name`	string	Data classification specification name
`category_id`	int	Database internal identifier for classification category
`category_name`	string	Data classification category
`category_path`	string	Hierarchy of classification category
`category_weight`	float	Classification category weighting
`cat_score`	float	Classification category score
`cat_sig`	bool	Classification category significance
`access_score`	float	Internal score for how unexpected the session is in the context of the data flow’s database object
`context_score`	float	Internal score for how unexpected the database object is in the context of the data flow’s session
`combined_score`	float	Internal score combining the access and context score
`importance`	float	User-specified weighting of the combined score
`risk`	float	Internal score combining combined score and importance

IT New Cluster¶

This event is emitted each time a new incident is created by the system. This occurs when new, unexpected data flows do not match an existing incident sufficiently. Either a new incident is created with the new data flow, or if the system’s clustering algorithms find a better grouping of unexpected data flows, old incidents are regrouped into new incidents to incorporate the new data flow

Sample IT New Cluster message:

<132>2018-06-11T13:50:00.773763-05:00 dbfw dbn: CEF:0|DB Networks|DBN|5.3.7|22|it_new_cluster|7|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 itEventId=1047 cluster_id=127

Field Details:

Field	Type	Description
`it_event_id`	int	New incident event ID
`cluster_id`	int	New incident internal identifier for linking to DBN web interface

IT Obsolete Cluster¶

If the above-mentioned regrouping occurs, or if the user introduces either learning or policy constraints into the system, incident clusters of data flows can become obsolete. This event is emitted under those circumstances. It is disabled by default.

Sample IT Obsolete Cluster message:

<132>2018-06-11T13:50:00.773763-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|23|it_obsolete_cluster|7|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 itEventId=1049 cluster_id=128

Field Details:

Field	Type	Description
`it_event_id`	int	Obsolete incident event ID
`cluster_id`	int	Obsolete incident internal identifier

IT Cluster Activity¶

This event is emitted when data flows, previously clustered into an incident exhibit activity (i.e., executing sql statements). Each event corresponds to a single data flow. The data flow is reported with the same fields defined used by the IT Clustered Flow event except the score specific fields, access_score, context_score, combined_score, importance, and risk. In addition, the following fields are supplied.

Sample IT Cluster Activity message:

<132>2018-06-11T13:50:00.773763-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|24|it_cluster_activity|7|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 itEventId=1044 cluster_id=57
risk_type=high flow_id=1707 context_id=1672 user_id=301 user_name=system client_id=298 client_realm=default client_ip=10.1.41.3
service_id=1030 dialect=Oracle service_name=USCYBERCOM.OPSEC service_type=service listener_id=1028 listener_realm=default
listener_ip=11.1.3.32 port=1521 context_earliest=1504451400000 access_id=480 relation_id=480 relation=customer mode=read
access_earliest=1494377400000 flow_earliest=1504464600000 activity_earliest=1505986500000 activity_latest=1506747900000 execs=493

Field Details:

Field	Type	Description
`it_event_id`	int	New incident activity event ID
`risk_type`	string	Incident risk category (either “high” or “low”).
`activity_earliest`	int	Epoch milliseconds of the first observed time of activity for the data flow in this event
`activity_latest`	int	Epoch milliseconds of the latest observed time of activity for the data flow in this event
`execs`	int	Number of statement executions by the data flow in this event

IT Auto Learned¶

This event is emitted when a data flow is learned by the autopilot, using the same fields as the IT Clustered Flow event except clusterId. This event is also disabled by default.

Sample IT Auto Learned message:

<132>2018-06-11T13:50:00.773763-05:00 dbfw dbn: CEF:0|DB Networks|DBN|6.1.2|18|it_auto_learned|7|
cs1Label=system identifier cs1=FW42-ED-VV-B-0423 system_identifier=FW42-ED-VV-B-0423 itEventId=1056 flow_id=1804 context_id=1800
user_id=300 user_name=BOB client_id=572 client_realm=default client_ip=10.1.41.11 service_id=1030 dialect=Oracle service_name=USCYBERCOM.OPSEC
service_type=service listener_id=1028 listener_realm=default listener_ip=11.1.3.32 port=1521 context_earliest=1506003300000 access_id=317
relation_id=317 relation=personcreditcard mode=read access_earliest=1494273900000 flow_earliest=1506003300000 access_score=0.999996204175
context_score=0 combined_score=0.999996204175 importance=1 risk=0.999996204175

For field details see IT Clustered Flow message detail.

IT Policy Activity¶

This event is emitted when data flows matching a committed policy constraint with a syslog category action exhibit activity (i.e., they execute sql statements). This event uses the same fields as the ITClusterActivity event, substituting constraint_id, category_id, category_name, and annotation for risk_type. The field details:

Field	Type	Description
`It_event_id`	int	New policy activity event ID
`constraint_id`	int	Internal identifier or policy rule that matched the data flow for this event
`category_id`	int	Internal identifier for the rule category assigned to the constraint that triggered this event
`category_name`	string	Category name for the rule category assigned to the constraint that triggered this event
`annotation`	string	Optional user supplied rule annotation

IT New Context¶

This event is emitted once for each new context (or session) the first time it is observed. A new session event has the following fields:

Field	Type	Description
`context_id`	int	Session internal identifier for linking to the DBN web management interface.
`user_id`	int	Session database user name internal identifier.
`user_name`	string	Session database user name (for example, “BOB”).
`client_id`	int	Session client internal identifier.
`client_realm`	string	Session client realm (typically “default” unless using VLANs in DBN configuration).
`client_ip`	string	Session client IP address (for example, “10.1.41.2”).
`service_id`	int	Session database service internal identifier.
`dialect`	string	Session dialect description (for example, “Oracle”)
`service_name`	string	Session database service name (for example, “CRM.EU”).
`service_type`	string	Session database service type (“sid”, “global name”, or “service”).
`listener_id`	int	Session database listener internal identifier.
`listener_realm`	string	Session database listener realm (typically “default” unless using VLANs in DBN configuration).
`listener_ip`	string	Session database listener IP address (for example, “10.1.40.32”).
`port`	type	Session database listener port.
`context_earliest`	bigint	Epoch milliseconds of earliest observed time for the data flow’s session.

IT New Access¶

This event is emitted once for each new access, also referred to as database object, the first time it is observed. A database object is one of relation, meta-relation, or user role. Relation and meta-relations are reported with:

An id
Up to three name qualifiers (server, database, and schema) if applicable
A relation name
A mode of access
- For relations, this can be read or write.
- For meta-relations, this can be create, drop, alter, or truncate.

User role database objects are reported with an id, name, type (user or role), mode (create, drop, alter, grant, or revoke), when applicable a session database user ID and name, and when applicable, an optionally qualified relation. A new object event has the following fields.

Field	Type	Description
`access_id`	int	Database object internal identifier.
`relation_id`	int	Database object relation internal identifier.
`meta_relation_id`	int	Database object meta-relation internal identifier.
`server`	string	Database object relation server qualifier.
`database`	string	Database object relation database qualifier.
`schema`	string	Database object relation schema qualifier.
`relation`	string	Database object relation name.
`mode`	string	Database object mode of use (for example, “read” or “alter”).
`user_role_id`	int	Database object user role internal identifier.
`user_role_name`	string	Database object user role name.
`type`	string	Database object user role type (either “user” or “role”).
`access_earliest`	bigint	Epoch milliseconds of earliest observed time for the data flow’s database object.

IT New Flow¶

This event is emitted once for each new data flow, the first time it is observed. A data flow is the unique combination of a context (also referred to as session) and access (also referred to as object). The fields for a new flow event are those used for a new context, those used for a new access, and also the following.

Field	Type	Description
`flow_earliest`	bigint	Epoch milliseconds of earliest observed time for data flow.

CMDB Key-Value Pairs Format¶

The tally_new_ipseity (10), it_clustered_flow (18), it_cluster_activity (24), it_auto_learned (25), and it_policy_activity (26) events can be extended with CMDB data. The current implementation adds CEF pairs for each user extension of user, service, client, and relation (for example, table) that has the syslog flag (1) set and applies to the event in question. For example, tally_new_ipseity events do not have relation attributes to extend, but the IT events do.

Every custom message key is prefixed by an identifier for the scope of attribute being annotated, followed by the name of the annotation. For example, if there exists CMDB data annotating each service with a risk_score and a division, the tally_new_ipseity custom pairs resembles mds.services_riskScore=34 and mds.services_division=HR.

The tally_new_ipseity events have the following prefixes:

User annotations will be prefixed by mds.users_
Service annotations will be prefixed by mds.services_
Client host annotations will be prefixed by mds.hosts_

The IT events have the following prefixes:

User annotations will be prefixed by user_ext_mds.users_
Service annotations will be prefixed by service_ext_mds.services_
Client host annotations will be prefixed by client_ext_mds.hosts_
Relation annotations will be prefixed by relation_ext_parser.relation_

logo

DB CyberTech
15015 Avenue of Science
Suite 150
San Diego, CA 92128