This feature is available ✔️ for:
Role: Subscription Owner
Plan: Enterprise
In this article, we cover the following topics:
- Additional information and limitations
- Setup steps
- Event documentation - Common event fields
- Event documentation - Authentication event fields
- Event documentation - UserActivity event fields
- Event documentation - AdminActivity event fields
- Event documentation - DomainUserManagement event fields
- Event documentation - Events with AdditionFields filled
📝 Note: Before you enable the SIEM integration in your Tresorit subscription you need to sign the Data Processing Agreement, which you can find under the Billing tab in your Admin Center.
With the integration to SIEM providers our approach is to forward a selected set of events to the dedicated provider of our customer. The events can be selected during the configuration flow on the Setting tab of your Admin Center. The required events can be modified.
The currently available event groups:
-
User Activity (e.g. login & logout related events)
- Admin Activity (e.g. integration setups, policy modifications)
- User Management (e.g. invite, suspend, delete actions)
See the detailed information regarding events in the documentation below.
Additional information and limitations
-
We are not providing the logs in ASIM format, but in a custom format which is documented in the last section of this article.
-
Certain actions can be performed by Tresorit Support on the customer’s request. In that case the event’s ActorUserEmail field has the support@tresorit.com value and all other actor user related fields are empty.
-
These logs are not stored long-term on the storage servers used by Tresorit. We advise to store this data in Sentinel or at any dedicated third party.
Setup steps
You will need to sign-in to your Microsoft account to be able provide the Workspace ID of your Sentinel and a shared key to create the integration.
1. Login with subscription owner to your Tresorit account and visit the Settings tab of the Admin Center.
2. Click Enable in the SIEM integration section.
3. In case the DPA is not signed yet in your account, you will be prompted to start the signing process on the Billing tab.
4. You will need two specific values to set up the integration with your Sentinel workspace: Workspace ID and Shared Key.
Open the Log Analytics workspace used by Sentinel, go to Agents Management, you will find the Workspace ID, Primary and Secondary keys under Log Analytics agent instructions. You can use any of those keys as your Shared key value.
5. Select the required events from the list of available events. Find the detailed event documentation below.
Event documentation
Key value pairs
The possible values of the keys which are displayed during the setup of the integrations are documented in the following tables.
User Activity Events
Option during the setup | Value |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Domain User Management Events
Option during the setup | Values |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Admin Activity Events
Option during the setup | Values |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Common event fields
Fields that appear in the table below are common to all Tresorit event schemas. Any guideline specified in the exact subschemas (e.g. Authentication) overrides the Common event schema for the field. For example, a field might be optional in general, but mandatory for a specific schema.
Field | Class | Type | Possible values / Format | Description |
EventSchemaVersion |
Mandatory |
String |
|
We use SemVer for versioning schema variants. Each time a schema is edited, a new version is created, but the original schema remains intact for future use. example: |
---|---|---|---|---|
EventType |
Mandatory |
Enumerated |
|
Describes the operation reported by the record. |
EventSubType |
Mandatory |
Enumerated (defined for each event type) |
Value depends on the EventType field. |
Describes a subdivision of the operation reported in the Each event type schema (based on the |
EventTimestamp |
Mandatory |
Datetime |
|
The time the event was generated by the reporting device. example: |
EventResult |
Mandatory |
Enumerated |
|
Result of the event. |
EventResultDetails |
Recommended |
Dynamic (defined for each event type) |
|
Each schema (based on the |
ActorUserId |
Recommended |
String |
|
Unique identifier of the user. example: |
ActorUserEmail |
Mandatory |
String |
|
Email of the user. example: |
ActorUserFirstName |
Recommended |
String |
|
First name of the user. example: |
ActorUserLastName |
Recommended |
String |
|
Last name of the user. example: |
ActorUserRole |
Recommended |
Enumerated |
|
Set of permissions for actions available for the actor user. |
ActorSessionId |
Recommended |
String |
|
The logged in user’s unique session identifier.
example: |
ActorUserDomainId |
Recommended |
String |
|
Domain GUID |
ActorUserDomainName |
Recommended |
String |
|
Organisation name of the subscription domain. |
ActorUserIsExternal |
Mandatory |
Bool |
|
|
ActorDeviceName |
Recommended |
String |
|
Name of the device or web session from which the event originates. examples:
|
ActorDeviceId |
Recommended |
String |
|
The unique identifier of the device. example: |
ActorDeviceType |
Recommended |
Enumerated |
|
Event originates from:
|
ActorDevicePlatform |
Recommended |
Enumerated |
Device OS:
|
Platform name of the device which from the event originates. |
ActorDeviceIpAddress |
Recommended |
IP address |
|
IP address of the device from which the event originates. Example: |
ClientAgent |
Recommended |
String |
|
Tresorit specific client agent information. Parameters:
examples:
|
HttpUserAgent |
Recommended |
String |
|
HTTP user agent used in the original backed request. Web client example: Native client example: |
GeolocationCountry |
Recommended |
String |
|
Approximate location* based on IP address from which the event originates. example: * The accuracy of geolocation may vary. |
GeolocationRegion |
Recommended |
String |
|
Approximate location* based on IP address from which the event originates. example: * The accuracy of geolocation may vary. |
GeolocationCity |
Recommended |
String |
|
Approximate location* based on IP address from which the event originates. example: * The accuracy of geolocation may vary. |
GeolocationLongitude |
Recommended |
Longitude |
|
Latitude and longitude are angles that uniquely define a place* on Earth. example: * The accuracy of geolocation may vary. |
GeolocationLatitude |
Recommended |
Latitude |
|
Latitude and longitude are angles that uniquely define a place* on Earth. example: * The accuracy of geolocation may vary. |
AdditionalFields |
Optional |
Dynamic |
|
Extra information about the event in custom JSON format.
|
Authentication event fields
EventSubType |
Mandatory |
Enumerated |
|
Describes a subdivision of the operation Each schema (based on the |
---|---|---|---|---|
EventResultDetails |
Recommended |
Enumerated |
|
Additional information about the result of the |
LoginMethod |
Optional |
Enumerated |
|
The authenticate method used by the user. Mandatory if the |
RevokeMode |
Optional |
Enumerated |
|
Whether or not to delete synchronized folders and files from the device. Mandatory if the |
TargetDeviceName |
Optional |
String |
|
Name of the device being registered or revoked. Mandatory if the |
TargetDeviceId |
Optional |
String |
|
Unique identifier of the device being registered or revoked. Mandatory if the |
TargetDeviceType |
Optional |
Enumerated |
|
Type of the device being registered or revoked. Mandatory if the
|
TargetDevicePlatform |
Optional |
Enumerated |
Device OS:
|
Platform name of the target device. |
UserActivity event fields
Field | Class | Type | Possible values/Format | Description |
EventSubType |
Mandatory |
Enumerated |
|
Describes a subdivision of the operation Each schema (based on the * These properties will not be filled in case of a normal |
EventResultDetails |
Recommended |
String |
|
We use the |
AdminActivity event fields
Field | Class | Type | Possible values/Format | Description |
EventSubType |
Mandatory |
Enumerated |
|
Describes a subdivision of the operation Each schema (based on the |
EventResultDetails |
Recommended |
String |
|
We use the |
DomainUserManagement event fields
Field | Class | Type | Possible values/Format | Description |
EventSubType |
Mandatory |
Enumerated |
|
Describes a subdivision of the operation Each schema (based on the |
EventResultDetails |
Mandatory |
Enumerated |
|
Additional information about the result of the |
TargetUserId |
Optional |
String |
|
Unique identifier of the target user. Only optional is if the example: |
---|---|---|---|---|
TargetUserEmail |
Optional |
String |
|
Email of the target user. Only optional is if the example: |
TargetUserFirstName |
Optional |
String |
|
First name of the target user. example: |
TargetUserLastName |
Optional |
String |
|
Last name of the target user. example: |
TargetUserRole |
Mandatory |
Enumerated |
|
Set of permissions for actions available for the target user. |
eTargetUserNewRole |
Optional |
Enumerated |
|
The name of the target user’s new role in the domain. Mandatory if the |
TargetUserPolicyId |
Optional |
String |
|
Unique identifier of the target user’s current policy. Mandatory if the |
TargetUserPolicy |
Optional |
String |
{name of old policy} |
The name of the user’s current policy. e.g. Mandatory if the |
TargetUserNewPolicyId |
Optional |
String |
|
Unique identifier of the target user’s new policy. Mandatory if the |
TargetUserNewPolicy |
Optional |
String |
{name of new policy} |
The name of the user’s new policy. e.g. Mandatory if the |
TargetDeviceName |
Optional |
String |
|
Name of the device being revoked. Mandatory if the |
TargetDeviceId |
Optional |
String |
|
Unique identifier of the device being revoked. Mandatory if the |
TargetDeviceType |
Optional |
Enumerated |
|
Type of the device being revoked. Mandatory if the
|
TargetDevicePlatform |
Optional |
Enumerated |
Device OS:
|
|
Events with AdditionalFields filled
EventType | EventSubType | Condition | AdditionalFields |
Authentication |
Login |
|
|
Authentication |
Login |
|
|
UserActivity |
TwoFactorOptionConfig |
Phone number setup/verify/removal cases |
|
UserActivity |
TwoFactorOptionConfig |
TOTP setup/verify cases |
|
UserActivity |
TwoFactorOptionConfig |
2FA option status enable/disable |
|
UserActivity & DomainUserManagement |
|
2FA option status enable/disable |
|
---|---|---|---|
AdminActivity |
|
Always |
|
AdminActivity |
|
Always |
|
AdminActivity |
|
Always |
|
AdminActivity |
|
Create a new policy template |
|
AdminActivity |
|
Clone an existing policy template |
|
AdminActivity |
|
|
|
AdminActivity |
|
Always |
|
AdminActivity |
|
Always |
|
AdminActivity |
|
Always |
|
AdminActivity |
|
Always, unless called from |
|
AdminActivity |
|
Always |
|
DomainUserManagement |
|
Always |
|