Skip to main content
All CollectionsTroubleshooting and How-ToHow-To Articles
How to integrate with the SIEM (Security Information & Event Management) and PM (Project Management) systems
How to integrate with the SIEM (Security Information & Event Management) and PM (Project Management) systems
A
Written by Arick Disilva
Updated over 4 months ago

You can set up a SIEM/PM integration from the Integrations screen.

Introduction to the Integrations Screen

The Integrations menu allows you to set up an integration with external Security Information and Event Management (SIEM) and Project Management (PM) software. You can then send user details and event triggers from Teramind to the integrated software.

image-261.png

The main Integrations screen shows you a list of current integrations. From here you can also create a new integration, change the settings of an integration or remove an integration when no longer needed.

Currently, the following built-in integration options are available:

SIEM:

  • Generic CEF Generic JSON

  • HP ArcSight

  • Splunk

  • Splunk CIM

  • IBM QRadar

  • McAfee

Project Management:

  • Jira

  • Redmine

  • Zendesk

API calls and/or custom integrations may be used to connect with platforms not listed here. Please contact [email protected] if you require such an integration.

Teramind exports event information with Syslog using the Common Event Format (CEF). Any SIEM should be able to consume that.

In the article, we have provided instructions for two SIEM integrations: Splunk and HP ArcSight. We have also provided instructions for two PM integrations: Zendesk and JIRA. This should help you understand how the integration works and enable you to integrate with other solutions. If you still need help, please contact [email protected].

Accessing the Integrations Menu

image-262.png

1. Click the Gear icon near the top-right corner of the Teramind Dashboard.

2. Click Integrations underneath the pop-up menu.

Setting Up a New SIEM Integration with Splunk

image-263.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

mceclip0__28_.png

2. Select SIEMs from the list of product types.

3. Choose Splunk or Splunk CIM from the list of products.

You can set up a Splunk integration either using the standard interface or through the CIM (Common Information Model). The CIM helps you to normalize your data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. Both processes are similar to set up.

4. Click the NEXT STEP button to continue to Step 2:

mceclip1__20_.png

5. Select a Transport protocol, for example TCP.

6. Provide a HOSTNAME and PORT where the SIEM product is located at.

7. Click the NEXT STEP button to continue to Step 3:

mceclip2__9_.png

WEBSITE AUDIT event sends the System Logs to the SIEM.

For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.

8. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM. By default, all events will be sent.

9. Optionally, you can specify the maximum field value length. The default value is 0 (unlimited).

10. Optionally, click on a Database icon for an event to configure its data mapping. A Data mapping window will pop-up:

mceclip4__8_.png

11. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.

12. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.

13. Click the LAUNCH INTEGRATION to save and launch the integration. Next, you will need to configure Splunk to accept the data sent to it from Teramind:

mceclip5__6_.png

14. Login to your Splunk account dashboard as an administrator.

mceclip6__4_.png

15. From the menu on top, select Settings > Source types.

mceclip7__4_.png

16. Click the New Source Type button near the top-right corner. A pop-up window will open:

17. Give the source a Name. You can configure other options for the Source from this window. For this exercise, we just need the Name parameter.

18. Click the Save button when you are done with setting up the Source.

mceclip9__2_.png

19. From the menu on top, select Settings > Data inputs.

mceclip2__10_.png

20. From the list of local inputs, click the + Add new link next to the TCP row. You will be taken to the Add Data wizard screen:

mceclip11__1_.png

21. On the first step, Select Source, enter the Port number you chose in Step 6 before. You can optionally set other parameters such as override source name, restrict connection to a specific host, etc. For this exercise, we only need the Port parameter.

22. Click the Next > button to go to the next step.

mceclip12__2_.png

23. On the second step, Input Settings, click on the Select Source Type drop-down box and select the Source you created in Step 16 before (e.g., my_source). You can optionally set other parameters such as app context, method, index etc. For this exercise, we only need the Source Type parameter.

24. Click the Next > button to go to the next step.

mceclip13__2_.png

25. On the third step, Review, review the configuration. Click the Submit > button to finish setting up the data input and go to next step.

mceclip14__3_.png

26. On the final step, Done, click the Start Searching button to view the data coming from your Teramind integration:

mceclip15__3_.png

27. To find the data easily, you can optionally specify parameters such as source and sourcetype in the Search field.

28. Optionally, you can specify the interval (e.g. 5 minute window) located right next to the search field.

For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.

Setting Up a New SIEM Integration with HP ArcSight

image-263__1_.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

image-266.png

2. Select SIEMs from the list of product types.

3. Choose a SIEM product from the list of products. For example, HP ArcSight.

4. Click the NEXT STEP button to continue to Step 2.

image-267.png

5. Select the Transport protocol (UDP or TCP).

6. Provide a Hostname and Port where the SIEM product is located at.

7. Click the NEXT STEP button to continue to Step 3.

image-268.png

WEBSITE AUDIT event sends the System Logs to the SIEM.

For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.

8. Click the YES/NO slider button to turn an event on/off. Events which are selected will be sent to the SIEM.

9. Click on a Database icon to configure its data mapping. A Data mapping window will pop-up.

mceclip3.png

10. Map what SIEM field will be used for the corresponding Teramind field. You can use the checkbox in front of a field to turn it on/off.

11. When data mapping is done, click the SAVE button to close the Data mapping window and return to the Step 3 window.

12. Click the LAUNCH INTEGRATION on the Step 3 window to save and launch the integration.

Setting Up a New SIEM Integration Using the Generic CEF Option

When creating a new SIEM integration, you will notice that there is a Generic CEF option on the SIEMs product list. CEF (Common Event Format) is a text-based, open messaging standard and log format developed by ArcSight™ and used by HP ArcSight™ products.

If you use this option, Teramind will output data over the Syslog protocol using CEF data format. This will help you integrate with various SIEM tools for which Teramind does not have a built-in option.

The integration process is very similar to HP ArcSight. See the Setting Up a New SIEM Integration with HP ArcSight for step-by-step instructions.

For a list of the events and their description, please check out the Appendix: List of SIEM Events section below.

Setting Up a New PM Integration with Zendesk

image-270.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

image-271.png

2. Select Project management from the list of product types.

3. Choose Zendesk from the list of products.

4. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen.

image-272.png

Before you continue to the next step, you will need to create an OAuth Client in Zendesk. To do so:

image-273.png

5. Access your Zendesk domain, go to Admin section.

6. Click API under the Channels section.

7. Click the OAuth Clients tab.

8. Click the + button to add a client.

image-274.png

9. Use the information from the Teramind’s integration wizard (Step 2 of 3 screen) to complete the form. You’ll need to fill up the Client Name, Company, Unique Identifier and Redirect URLs fields with the data provided by Teramind’s Step 2 of 3 screen.

10. Copy the data displayed on the Secret field. Go back to the Zendesk Step 2 of 3 screen on Teramind.

image-275.png

11. Paste the Secret key you copied from Zendesk on the CLIENT SECRET field.

12. Click I HAVE CREATED THE CLIENT IN ZENDESK, CONTINUE. A pop-up window will open:

image-276.png

13. Click the Allow button. Go back to the Teramind integration wizard.

image-277.png

14. On the Teramind integration wizard (Zendesk: Step 2 of 3 screen), click the NEXT STEP. You will be taken to the Step 3 of 3 screen.

image-278.png

15. Give your project a name.

16. Add the task statuses to work on.

17. Click the MAP USERS ASSIGNMENT button. You will be taken to the user mapping screen.

image-279.png

18. Map the employees and supervisors. Enter the Zendesk usernames in the INTEGRABLE USERNAME field and then select the corresponding Teramind username from the TERAMIND USERNAME pull-down menu.

19. Click the SAVE button when done. You will be taken back to the Step 3 of 3 screen.

image-280.png

20. Click the LAUNCH INTEGRATION button on the Step 3 of 3 screen to save and launch your integration.

Setting Up a New PM Integration with Jira

image-270__1_.png

1. Click the Gear icon near the top-right corner of the dashboard, select Integrations. Then, click the SETUP NEW INTEGRATION button near the top-right corner of the Integrations screen. A setup wizard will pop-up:

mceclip0__29_.png

2. Select Project management from the list of product types.

3. Choose Jira from the list of products.

4. Click the NEXT STEP button to continue. You will be taken to the Step 2 of 3 screen:

mceclip1__21_.png

5. Note the instance / URL of your deployment (for example, https://arickteramin2.teramind.co). You will need it in Step 10.

6. Scroll down a little, note the CONSUMER KEY, CONSUMER NAME and the PUBLIC KEY values. You will need these three values in the Step 17 below. Keep this window open.

mceclip2__11_.png

7. Log into your Jira dashboard. Click the Settings icon near the top-right corner.

8. Select Products from the drop-down menu. You will be taken to a new window:

mceclip3__9_.png

9. Click the Application links from the left panel.

10. Enter the instance / URL of your deployment you copied from Step 5 above.

11. Click the Create new link button. You might see a pop-up window like the one below:

mceclip4__9_.png

12. Just click the Continue button. You will see another pop-up window, Link applications:

mceclip5__7_.png

13. Enter an Application Name, for example, Teramind.

14. Click the Continue button. Jira will process the configurations and after a while, you will see the Applications window and your application on the list:

mceclip6__5_.png

15. Click the small Pencil icon next to your application. A configure window will pop-up:

mceclip7__5_.png

16. Click the Incoming Authentication tab on the left panel.

17. Enter the Consumer Key, Consumer Name, and the Public Key values you copied in Step 6 above.

18. Scroll down and click the Save button to save your configurations. You will see a confirmation that your application is registered:

mceclip8__3_.png

19. Click the Close button to close the window and return to the Applications page.

mceclip9__3_.png

20. Copy the domain address / URL of your Jira deployment (for example, https://teramind-test.atlassian.net). You will need it in the next step, on the Teramind Dashboard:

mceclip10__2_.png

21. Go back to your Teramind Dashboard. Enter the domain address / URL of your Jira deployment you copied in the previous step into the JIRA BASE URL field.

22. Click the I ADDED APPLICATION LINK TO JIRA, CONTINUE button. A Welcome to JIRA window will pop-up:

mceclip11__2_.png

23. Click the Allow button to authenticate your application. The window will close and you will be back on the JIRA: Step 2 of 3 screen:

mceclip4.png

24. Wait a few seconds and then you will see an Auth success message.

25. Click the NEXT STEP button to continue to JIRA: Step 3 of 3 screen:

mceclip13__3_.png

26. Select your PROJECTS, ALLOWED TASK STATUSES, and TEST STATUSES from the corresponding fields.

27. Click the USERS ASSIGNMENT button to set up user mappings:

mceclip14__4_.png

28. You can map EMPLOYEES and TESTERS. Assign INTEGRABLE USERNAME with TERAMIND USERNAME, assign roles, etc.

29. Click the SAVE button when you are done with the user mapping. You will be taken back to the to JIRA: Step 3 of 3 screen:

mceclip15__4_.png

30. Click the LAUNCH INTEGRATION button to save your integration and return to the External Integration screen where you will see your Jira integration:

mceclip18__2_.png

31. You should now be able see and import your Jira projects and tasks from the TIME TRACKING > TASKS menu:

mceclip19__2_.png

Editing / Deleting an Integration

image-281.png

From the main Integration screen, under the ACTIONS column:

1. Click the Settings icon to change the connection settings for a SIEM integration.

2. Click the Database icon to change the events mapping for a SIEM integration.

3. Click the Trash Can icon to delete/remove an integration.

4. Click the Pad Lock icon to edit the app link/authorization settings for a PM integration.

5. Click the Refresh icon to change the project name, task statuses and user mapping for a PM integration.

Appendix: List of SIEM Events

USER LOGS IN

Sends user login events.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

Mycomp01

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent login

tmTime

rt

Time Since User Logged In (milliseconds)

1608062465779

tmWindowsFormatTime

wTime

System Date & Time

2020/12/15 20:01:05

USER DISCONNECTS

Sends user logout events.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

win7-64bit

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent logout

tmTime

rt

Time Since User Logged In (milliseconds)

1608062465779

tmWindowsFormatTime

wTime

System Date & Time

2020/12/15 20:01:05

EMAIL SENT

Sends outgoing email activities similar to the information displayed on the BI Reports > Emails and Monitoring > Emailing reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

john@desktop-ais7

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-AIS7

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent sends email

tmTime

rt

Time Since User Logged In (milliseconds)

1608062465779

tmEmailDirection

act

Email Direction

sent

tmEmailFrom

suser

Email From

tmEmailTo

duser

Email To

tmEmailCC

cs3

Email CC

tmEmailSubject

cs4

Email Subject

My vacation pictures

tmEmailClient

cs5

Email Client

gmail

tmWindowsFormatTime

wTime

System Date & Time

2020/12/15 20:01:05

EMAIL RECEIVED

Sends incoming email activities similar to the information displayed on the BI Reports > Emails and Monitoring > Emailing reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

shelly@desktop-peotii9

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII9

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent receives email

tmTime

rt

Time Since User Logged In (milliseconds)

1608062465779

tmEmailDirection

act

Email Direction

received

tmEmailFrom

suser

Email From

tmEmailTo

duser

Email To

shelly1980yahoo.co

tmEmailCC

cs3

Email CC

tmEmailSubject

cs4

Email Subject

Sales presentation deck

tmEmailClient

cs5

Email Client

yahoo

tmWindowsFormatTime

wTime

System Date & Time

2020/12/15 20:01:05

DOC PRINTED

Sends printing activities similar to the information displayed on the BI Reports > Printing and Monitoring > Printing reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

Mycomp01

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent prints

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmFileName

filePath

App Name - File Name

Microsoft Word – Quarterly Sales Report

tmPrinterName

cs3

Printer Name

Brother HL-5370DW

tmPrinterPages

cn1

Number of Pages Printed

3

tmPrinterCopies

fname

Number of Copies Printed

1

tmWindowsFormatTime

wTime

System Date & Time

2021/10/02 05:28:57

APP LAUNCHED

Sends application launch/run activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

Mycomp01

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent opens app

tmATime

rt

Time Since User Logged In (milliseconds)

1633152537698

tmActivityUid

cs3

Activity Unique Identifier

81cbdae8-ee93-4fc9-80a6-22d2e59f5806

tmActivityName

sourceServiceName

Name of the App/Service

word.exe

tmStart

start

App Start Time (milliseconds)

1633152537698

tmActivityAction

act

Action Type

open

tmActivityTitle

cs4

Title of the App Window – App Name

Sales Report.docx - Word

tmWindowsFormatTime

wTime

System Date & Time

2021/10/02 05:28:57

tmWindowsFormatStart

wStartTime

App Start Time

2021/10/02 05:28:57

APP CLOSED

Sends application exit/close activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

Mycomp01

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent closes app

tmTime

rt

Time Since User Logged In (milliseconds)

1633152537698

tmActivityUid

cs3

Activity unique identifier

81cbdae8-ee93-4fc9-80a6-22d2e59f5806

tmActivityName

sourceServiceName

Name of the App/Service

word.exe

tmStart

start

App Start Time (milliseconds)

1633152624921

tmEnd

end

App End Time (milliseconds)

1823426546342

tmActivityAction

act

Action Type

close

tmActivityTitle

cs4

Title of the App Window – App Name

Sales Report.docx - Word

tmWindowsFormatTime

wTime

System Date & Time

2021/10/02 05:28:57

tmWindowsFormatStart

wStartTime

App Start Date & Time

2021/10/02 05:28:57

tmWindowsFormatEnd

wEndTime

App End Date & Time

2021/10/02 05:28:57

WEBSITE OPENED

Sends website visit activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

oscar@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 10 Enterprise LTSC 10.0.19044 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent opens web page

tmTime

rt

Time Since User Logged In (milliseconds)

1633152537698

tmActivityUid

cs3

Activity Unique Identifier

25596d1a-541c-44ce-b29c-7fbc22a0aeae

tmActivityName

sourceServiceName

Source Domain

www.msn.com

tmStart

start

Time When User Started Browsing the Webpage (milliseconds)

1633152624921

tmActivityAction

act

Action Type

open

tmWebUrl

request

Website URL

https://www.msn.com/en-xl/sports?ocid=1

tmWebTitle

cs4

Webpage Title - Browser Name

MSN Sports - Google Chrome

tmWindowsFormatTime

wTime

System Date & Time

2021/10/02 05:28:57

tmWindowsFormatStart

wStartTime

Time When User Started Browsing the Webpage

(OS standard time)

2021/10/02 05:22:01

WEBSITE CLOSED

Sends website close activities similar to the information displayed on the BI Reports > Applications & Websites and Monitoring > Web Pages & Applications reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

oscar@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 10 Enterprise LTSC 10.0.19044 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent closes web page

tmTime

rt

Time Since User Logged In (milliseconds)

1633152537698

tmActivityUid

cs3

Activity Unique Identifier

25596d1a-541c-44ce-b29c-7fbc22a0aeae

tmActivityName

sourceServiceName

Source Domain

www.msn.com

tmStart

start

Time When User Started Browsing the Webpage (milliseconds)

1633152624921

tmActivityAction

act

Action Type

close

tmWebUrl

request

Website URL

https://www.msn.com/en-xl/sports?ocid=1

tmWebTitle

cs4

Webpage Title - Browser Name

MSN Sports - Google Chrome

tmEnd

End

Time When User Stopped Browsing the Webpage

(milliseconds)

1643152624921

tmWindowsFormatTime

wTime

System Date & Time

2021/10/02 05:28:57

tmWindowsFormatStart

wStartTime

Time When User Started Browsing the Webpage

(OS standard time)

2021/10/02 05:22:01

tmWindowsFormatEnd

wEndTime

Time When User Stopped Browsing the Webpage

(OS standard time)

2021/10/02 05:24:01

SEARCH QUERY DETECTED

Sends user search queries (e.g., on Google Search) similar to the information displayed on the BI Reports > Searches and Monitoring > Searches reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

stitus@desktop-uaq1hmb

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 10 Pro 10.0.19045 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-UAQ1HMB

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent searches

tmTime

rt

Time Since User Logged In (milliseconds)

1633152537698

tmWebUrl

request

Search Engine Domain

google.com

tmSearchPhrase

cs3

Search Phrase

brownie recipe for 3 people

tmWindowsFormatTime

wTime

System Date & Time

2021/10/02 05:28:57

BEHAVIOR RULE VIOLATED

Sends the behavior rule violation events similar to the information displayed on the BI Reports > Behavior Alerts and Behavior > Alerts reports. The event comes with many fields but not all fields are used for a particular rule violation event. Only the fields relevant to a particular incident is sent to the SIEM. Some fields are generic and available across all the rules. For example, Rule ID (cs10), Rule Name (cs11), etc. Other fields might have common names but might capture different data.

General

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Behavior rule notification

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

tmBehaviorRuleId

cs10

Rule ID

262

tmBehaviorRuleName

cs11

Rule Name

Sensitive data protection rule

tmBehaviorRuleNotificationType

type

Rule Type

  • email

  • application

  • webpage

  • browser_plugin

  • text (KEYSTROKES rule)

  • file_upload (FILES-Activity rule)

  • filesystem (FILES-Content Sharing rule) clipboard

  • network_connection(NETWORKING rule)

  • printer

  • conv_msg (IM rule)

tmActivityName

sourceServiceName

Source App/ Process

chrome.exe

tmProcessName

processName

Process Name

chrome.exe

tmWebpageTitle

webpageTitle

Webpage Title

Business News | CNN

tmSharedListId

cs12

Deprecated / Not Used

tmSharedListName

cs13

Deprecated / Not Used

tmSharedListValue

cs14

Deprecated / Not Used

tmSharedListItems

cs15

Deprecated / Not Used

tmCloudRoot

cloudRoot

Deprecated / Not Used

tmFileSystemExt

fileSystemExt

Deprecated / Not Used

tmApplyOnScreenUnlock

applyOnScreenUnlock

Deprecated / Not Used

tmIdle

cn4

Deprecated / Not Used

Emails

Teramind Event

Default Field

Description

Sample Data

tmBehaviorRuleNotificationType

type

Rule Type

email

tmEmailDirection

act

Email Direction

  • sent

  • received

tmEmailFrom

suser

Email From

tmEmailTo

duser

Email To

tmEmailCC

cs3

Email CC and BCC

tmEmailSubject

cs4

Email Subject

Sales discussion

tmEmailBody

tmEmailBody

Email Body

Hi Shelly, could you please look at the attached file? Thanks, Billy

tmEmailClient

cs5

Email Client

  • gmail

  • web_outlook

  • etc.

tmEmailSize

emailSize

Email Size

23435

tmEmailHasAttachment

emailHasAttachment

Has Attachment?

(only included if the rule is specifically using the Has attachment condition

1 (yes)

0 (no)

tmEmailAttachmentName

emailAttachmentName*

Attachment Name

(only included if there's any attachment. Emails with multiple attachments are sent as separate event)

  • Sales Report.pdf

  • c:\\users\\enrico\report.docx

tmUploadFileName

uploadFileName

Upload File Name

(same as emailAttachmentName but included for Content Sharing rules)

  • Sales Report.pdf

  • c:\\users\\enrico\report.docx


*On some email clients (e.g., Outlook Web), it shows multiple attachments as emailAttachmentName1, emailAttachmentName2, etc. On the other hand, in other email clients (e.g., Gmail Web), it sends separate event for each attachment.

Keystrokes

Teramind Event

Default Field

Description

Sample Data

tmText

cs7

Text Typed

(if special keys are enter, it will contain only the special keys otherwise similar to textTyped)

  • <capslock>

  • <ctrl> + c

  • texttyped

  • etc.

tmTextTyped

textTyped

Text Typed

(all text typed excluding special keys)

onecontineousTEXT

tmWordTyped

wordTyped

Word Typed

(individual words)

This is a TEXT

IM

Teramind Event

Default Field

Description

Sample Data

tmConvSource

cs5

IM App

  • hangouts (Google Chat)

  • skype_web (Skype Web)

  • zoom_web (Zoom Web)

  • etc.

tmConvMessage

cs4

Message

Hi, how are you doing today?

tmConvDirection

act

Message Direction

  • sent

  • received

tmConvFrom

suser

Message From

Enrico

tmConvTo

duser

Message To

  • Shelly Gomes

  • <everyone>

  • Johh Smith, Jedi123

  • etc.

Clipboard

Teramind Event

Default Field

Description

Sample Data

tmClipboardOrigin

clipboardOrigin

Clipboard Origin (Copy)

https://www.salesforce.com/account.aspx

tmClipboardTarget

clipboardTarget

Clipboard Target (Paste)

winword.exe

tmClipboardText

clipboardText

Copied Text

Text copied from clipboard

tmContentOrigin

contentOrigin

Content Origin

https://www.salesforce.com/account.aspx

Applications & Webpages

Teramind Event

Default Field

Description

Sample Data

tmIdleTime

idleTime

Time Idle

(seconds)

30

tmTimeActive

timeActive

Time Active (seconds)

120

tmApplicationName

applicationName

Application Name (executable file)

winword.exe

tmApplicationCaption

applicationCaption

Application Title

Sales Doc - Word

tmLaunchedFromCli

launchedFromCli

Launched from Command Line

(name of the app)

word.exe

tmWebUrl

request

Webpage URL

https://edition.cnn.com/business

tmWebTitle

cs6

Webpage Title

Business News | CNN

tmAppNotRunTime

appNotRunTime

Application Not Run Time

(Not launch for rule condition – in seconds)

115

Files

Teramind Event

Default Field

Description

Sample Data

tmFileSystemOperation

fileSystemOperation

File Operation

file read

Other possible types are: file write/ folder access / file delete, folder create, etc.

tmNetworkRoot

networkRoot

Network Root

(for network share)

\\\\ desktop7

tmPath

filePath

Network Destination

(for network share)

\\\\desktop8\\mailslot\\net

tmDownloadFileName

downloadFileName

Download File Name

Sales report.pdf

tmUploadFileName

uploadFileName

Upload File Name

Sales report.pdf

tmDownloadUrl

downloadUrl

Download URL

http://docs.googleusercontent.com/docs/securesc/da3d

tmUploadFileSize

uploadFileSize

Uploaded File Size

(Bytes)

343243

tmDownloadFileSize

downloadFileSize

Downloaded File Size

(Bytes)

323443

tmUploadVia

uploadVia

Uploaded Via

browser

Other possible types are: ftp / smtp / outlook

Browser Plugin

Teramind Event

Default Field

Description

Sample Data

tmBrowser

browser

Browser Name

chrome

tmBrowserPlugin

browserPlugin

Plugin Name

Chrono Download Manager

tmBrowserPluginPermissions

browserPluginPermissions

List of Plugin Permissions

alarms,clipboardRead,clipboardWrite,downloads,Storage

tmFileSystemPath

fileSystemPath

File Path

\\users\\appdata\\local\\

Networking

Teramind Event

Default Field

Description

Sample Data

tmRemoteHost

remoteHost

Remote Host

142.250.184.225

tmRemotePort

remotePort

Remote Port

443

tmBytesSent

bytesSent

Bytes Sent

3324324

tmBytesRecv

bytesRecv

Bytes Received

32432

Printing

Teramind Event

Default Field

Description

Sample Data

tmPrinterNumPages

printerNumPages

Number of Pages

1

tmPrinterName

cs5

Printer Name

Epson FX 300

tmDocName

cs4

Document Name

Sales report.docx

FILE ACTIONS

Sends file activities similar to the information displayed on the BI Reports > File Events and Monitoring > File Transfers reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent performs some file action

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmFileAction

act

Action Type

rename

Other possible acts are: create / access / copy / remove, etc.

tmFileName

fname

File Name

c:\\users\\adam\doc\Sales Report.xlsx

tmOldFileName

oldFileName

Old File Name

(only available when the File Name changes - e.g., when renaming a file)

c:\\users\\adam\doc\vacation.png

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

FLASHDISK ACTIONS

Sends external/USB disk activities.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent performs some file action

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmFlashdiskAction

act

Action Type

insert

Another possible act is: eject

tmFlashdiskMount

fname

Drive

(where the flash disk/USB drive is mounted)

E

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

TEXT COPIED

Sends the clipboard copy/paste events. The event gets triggered for both the copy and paste operations. However, they look exactly the same, i.e., all the fields have similar output. The only way to distinguish them is to look at the time stamps (wTime). Usually, the copy operation will take place before the paste operation.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent copies text

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmText

cs3

Text Being Copied/Pasted

The quick brown fox jumps

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

WEBSITE AUDIT

Captures administrator/privileged user activities on the Teramind Dashboard. Such as when an admin views certain report, creates a rule, edits an employee’s profile, etc. The events are similar to what’s displayed on the BI Reports > Audit or System > System Log reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmServer

dst

Teramind Server Address

10.11.55.114

tmWebVersion

cs1

Teramind Web UI Version

0.1.100

tmMessage

msg

Event Message

Audit event

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

tmAction

act

Action Type

View

Other examples are: View List, Edit, Create, Login, Logout, Download, etc.

tmRoute

request

Type of Request

/tt/r/agent-cost

In the above example, the Tracking > Employee Costs report is being accessed. Other examples are:

  • /wip/tma-chart/data – data for a chart widget being accessed (usually from a BI report).

  • /manage/tasks – a task being managed/edited.

tmDetails

cs5

Details

(similar to the Description column on the BI Reports > Audit or System > System Log reports. Not all events have this field.)

Inserted 1 element

In the above example, a list item was added to a Shared List. Other examples are:

  • Enabled: Audio – Audio setting on the monitoring settings is turned on.

  • /tm-api/player/export-video/download/147 – a video file was downloaded from the System > Video Export screen.

If the details contain multiple items, this field will contain a JSON structure containing details for each item. For example, modifying multiple settings on a settings screen or changing something on a BI report. Here’s a sample Details from the File Events BI Report:

{
"cube": [
"file_event"
],
"timezone": "Asia/Baku",
"time_format": 0,
"aggregate": false,
"dims": [
"timestamp",
"id",
"agent",
"computer",
"event_type",
"path",
"dst_path",
"description"
],
"measures": [],
"dim_filters": {
"date": {
"range": [
"2023-05-01",
"2023-05-08"
]
}
},
"data_filters": {},
"ldap_filters": [],
"ad_group": {},
"offset": 0,
"limit": 100,
"meta": {
"report": {
"name": "File Events"
},
"widget": {
"name": ""
}
},
"order": [
[
"timestamp",
"desc"
]
],
"agents": [],
"computers": [],
"departments": []
}

tmObjType

cs2

Object Type

(this can be a page, dashboard, agent, etc.)

bi_query

In the above example, the object is any of the pages under the BI Reports menu. Other examples are:

  • report – any report under the Monitoring menu.

  • agent – any pages under the Employees menu

  • dashboard – any pages under the Dashboards menu

  • page – any other pages

  • task – a task being created/edited

tmObjId

cs3

Object Id

(note that not all events have this field)

22

tmObjName

cs4

Object Name

(this can be the shot URL or name of a page/report, name of an item, etc.)

pinted_doc

The above example is the name of a report object (in this case, BI Reports > Printing report). Other examples are:

  • activity –BI Reports > App & Websites report

  • mail –BI Reports > Email report

  • manage/tasks –Time Tracking > Tasks page

  • My Task 01 – name of an item, in this case, name of a task being created/edited

CONSOLE COMMANDS

Sends the commands used on Command Prompt/Terminal. The events are similar to what’s displayed on the BI Reports > Console Commands or Monitoring > Console Command reports.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Agent console command run

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

tmCommand

cs3

The command used

regedit

Other examples are: C:\Windows\regedit.exe, ping, etc. Note that built-in commands like copy, cls, md etc. aren't captured.

tmUsername

suser

System Username

Encico Gomes@DESKTOP-PEOTII7

tmPid

cn1

Process ID

6388

tmDuration

cs4

Duration of the command run time (seconds)

3.182000

OS SLEEP & LOCK STATE

Sends the OS state changes of users' computers such as Sleep, Lock, Screen Saver, etc.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmMessage

msg

Event Message

Operating system session locked

Other examples are: Operating system session unlocked, Operating system goes to sleep state, Operating system screensaver started, Operating system screensaver stopped, etc.

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

tmOsSleepLockState

cs3

The State of the OS

session_lock

Other examples are: session_unlock, sleep_start, sleep_end, screensaver_start, screensaver_stop, etc.

BUSINESS PROCESS

Sends custom business process information, such as in-app field parsing data to the SIEM. Each business process can be unique to each customer. Custom event data is sent as JSON formatted text inside the tmEvent (event) field.

Teramind Event

Default Field

Description

Sample Data

tmAgent

suid

User@Computer/Domain Name

enrico@desktop-peotii6

tmAgentIp

dvc

Agent IP

10.55.54.180

tmClientVersion

cs1

Agent Version

0.1.256

tmOS

shost

Host OS

Microsoft Windows 7 Home 6.1.7601 64-bit

tmComputer

sntdom

Computer Name

DESKTOP-PEOTII6

tmServer

dst

Teramind Server Address

10.11.55.114

tmServerVersion

cs2

Teramind Server Version

0.1.100

tmTime

rt

Time Since User Logged In (milliseconds)

1682933007568

tmWindowsFormatTime

wTime

System Date & Time

2023/05/02 10:44:56

tmLocation

location

A custom, arbitrary ID to identify the location of a page/field/element, etc.

400

tmEvent

event

Details of the custom business process event in JSON format

Here is a demo form related to a business process:

(click the image to enlarge)

Here's how it's captured on Splunk on different stages of interactions (e.g., clicking a field, changing a value, etc.) on the form:

(click the image to enlarge)

The events show the user clicking the form field(s), searching for a customer, etc.

Did this answer your question?