From 020f1ca0cb6c48d49e8174a4b4b215b2c0b810b5 Mon Sep 17 00:00:00 2001 From: dakle Date: Fri, 27 Feb 2026 13:22:55 +0100 Subject: [PATCH 1/3] add article on SIEM in context of midPoint --- iam/siem.adoc | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 iam/siem.adoc diff --git a/iam/siem.adoc b/iam/siem.adoc new file mode 100644 index 00000000..8d23d3e6 --- /dev/null +++ b/iam/siem.adoc @@ -0,0 +1,79 @@ += SIEM with midPoint +:page-nav-title: SIEM with midPoint +:page-toc: top +:display-order: 900 +:page-keywords: siem, security, security information and event management +:page-description: Explore how SIEM integrates with midPoint to aggregate logs, detect threats, and automate identity‑centric responses for stronger security + +Security information and event management (SIEM) platforms have become a cornerstone of modern cyber‑defense strategies. +By aggregating, normalizing, and analyzing log data from disparate sources, +a SIEM gives organizations the visibility they need to detect threats, respond quickly, and retain forensic evidence. +For teams using midPoint to manage identities, +a SIEM solution bridges the gap between identity governance and perimeter security, +turning raw audit trails into actionable intelligence. + +== What is SIEM + +A SIEM is a software solution that collects security-related events from devices like access points and routers, applications like midPoint, containerization solutions like Docker, and operating systems on which these applications and containers run. +The SIEM solution normalizes the collected logs to a common schema and stores them centrally for real-time monitoring and historical analysis. + +== Core capabilities of SIEM + +The typical SIEM capabilites are: + +* Log aggregation across heterogeneous environments +* Parse raw events into structured records +* Correlate collected events to apply rule‑based or behavioral analytics +* Act on detected threats and alert security teams +* Aggregate collected and processed data for visual dashboard presentation +* Retain long-term log archives + +SIEM solutions ingest raw logs from various applications, containers, and host operating systems (e.g., midPoint in Docker on Arch Linux). +These logs are then parsed according to the source-specific rules to extract events in the logs and analyze them. +The analysis applies predefined security rules and optionally machine‑learning models to identify anomalous behavior, such as repeated failed logins or large number of deleted user accounts. +In case an anomalous activity is detected, the SIEM solution alerts responsible teams and generates a report. +It may take an action defined in the rules as well (e.g., deactivate the culprit using the midPoint API) to shorten the mean time to response (MTTR) as much as possible. +The historical data kept by SIEM for the future reference enable analysts to trace back incidents, spot recurring patterns, and refine the detection rules. + +== Why use a SIEM + +The traditional perimeter security is based on network protection; +firewalls typically filtered traffic based on IP addresses and ports, internal resources were available only from within the corporate LAN or through VPN, etc. +Modern attacks target the identity layer: using compromised credentials and insider misuse, they bypass the network controls entirely. +Consequently, organizations moved on to rely on identity‑based perimeters where authorization decisions are tied to user identities rather than static network locations. + +SIEM gives organizations a comprehensive insight into the security status by consolidating logs from firewalls, network devices, cloud services, and applications, such as identity platforms. +By parsing, correlating, and centrally managing the aggregated events, it is possible to quickly spot suspicious activity patterns that would stay invisible in isolated logs. +The SIEM solution has context of the whole environment, thanks to which it can distinguish a completely benign and legitimate traffic surge from a malicious DDoS attack, for instance. +Storing historical data enables security teams to investigate past incidents, reconstruct attack timelines, monitor trends, as well as ensure compliance with standards, such as GDPR or ISO-27001. + +== How can SIEM work with midPoint + +MidPoint emits to the xref:/midpoint/reference/security/audit/[audit log] detailed events for provisioning actions, task executions, policy evaluations, etc. +A SIEM can be configured to pull these logs and capture every identity‑related change. + +Once ingested, the SIEM parses the midPoint logs to extract key attributes like user IDs, operation types, affected resources, and so on. +These structured data become the basis for correlation with other security events, such as VPN logins or that someone passed through the building door in the middle of the night (and then logged into midPoint under different identity). + +In case of a policy rule violation, a SIEM can trigger remediation actions through midPoint REST API. + +Here is an example workflow: + +. SIEM detects a brute‑force login pattern on a user account. +. SIEM sends a request to midPoint API to set the user's administrative status to disabled in order to protect the account. +. MidPoint then propagates the status change to all connected resources according to its mapping and synchronization rules. + +This autonomous response by the SIEM is way faster than what a human operator alone could achieve, even if he monitored the logs continuously. + +Beyond identity events, a SIEM can monitor the host environment where midPoint runs. +It can be configured to +verify the file system permissions are set according to the defined best practices, +check the container runtime settings, +or validate the network configuration +to ensure the overall setup meets the security requirements. + +== Conclusion + +Integrating a SIEM with midPoint transforms raw identity‑governance data into a proactive security capability. +By aggregating logs, correlating events across the stack, and automating remediation through midPoint API, you can shift from a reactive incident handling to predictive identity‑centric modus operandi. +As the threat landscape moves away from network breaches to identity theft and abuse, a SIEM integration becomes essential for maintaining robust security hygiene. \ No newline at end of file From 3081de94536e90040d39ae857fa475a0f7e6c470 Mon Sep 17 00:00:00 2001 From: dakle Date: Fri, 27 Feb 2026 13:51:59 +0100 Subject: [PATCH 2/3] Add links, fix errors, adjust title --- iam/siem.adoc | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/iam/siem.adoc b/iam/siem.adoc index 8d23d3e6..05f33c5c 100644 --- a/iam/siem.adoc +++ b/iam/siem.adoc @@ -1,7 +1,7 @@ -= SIEM with midPoint -:page-nav-title: SIEM with midPoint += SIEM integration with midPoint +:page-nav-title: SIEM :page-toc: top -:display-order: 900 +:page-display-order: 900 :page-keywords: siem, security, security information and event management :page-description: Explore how SIEM integrates with midPoint to aggregate logs, detect threats, and automate identity‑centric responses for stronger security @@ -53,19 +53,19 @@ MidPoint emits to the xref:/midpoint/reference/security/audit/[audit log] detail A SIEM can be configured to pull these logs and capture every identity‑related change. Once ingested, the SIEM parses the midPoint logs to extract key attributes like user IDs, operation types, affected resources, and so on. -These structured data become the basis for correlation with other security events, such as VPN logins or that someone passed through the building door in the middle of the night (and then logged into midPoint under different identity). +These structured data become the basis for correlation with other security events, such as VPN logins or that someone passed through the building door in the middle of the night (and then logged into midPoint under a different identity). -In case of a policy rule violation, a SIEM can trigger remediation actions through midPoint REST API. +In case of a policy rule violation, a SIEM can trigger remediation actions through xref:/midpoint/reference/interfaces/rest/[midPoint REST API]. Here is an example workflow: . SIEM detects a brute‑force login pattern on a user account. -. SIEM sends a request to midPoint API to set the user's administrative status to disabled in order to protect the account. +. SIEM sends a request to midPoint API to set the user's xref:/midpoint/reference/concepts/activation/[administrative status] to disabled in order to protect the account. . MidPoint then propagates the status change to all connected resources according to its mapping and synchronization rules. This autonomous response by the SIEM is way faster than what a human operator alone could achieve, even if he monitored the logs continuously. -Beyond identity events, a SIEM can monitor the host environment where midPoint runs. +Beyond identity events, a SIEM system can monitor the host environment where midPoint runs. It can be configured to verify the file system permissions are set according to the defined best practices, check the container runtime settings, @@ -76,4 +76,15 @@ to ensure the overall setup meets the security requirements. Integrating a SIEM with midPoint transforms raw identity‑governance data into a proactive security capability. By aggregating logs, correlating events across the stack, and automating remediation through midPoint API, you can shift from a reactive incident handling to predictive identity‑centric modus operandi. -As the threat landscape moves away from network breaches to identity theft and abuse, a SIEM integration becomes essential for maintaining robust security hygiene. \ No newline at end of file +As the threat landscape moves away from network breaches to identity theft and abuse, a SIEM integration becomes essential for maintaining robust security hygiene. + +== See also + +* xref:/midpoint/security/[] +* xref:/midpoint/features/current/audit-trail/[] +* xref:/midpoint/features/current/case-management/[] +* xref:/midpoint/features/current/compliance-dashboard/[] +* xref:/midpoint/features/current/correlation/[] +* xref:/midpoint/features/current/reporting/[] +* xref:/midpoint/features/current/rest-api/[] +* xref:/midpoint/reference/roles-policies/policies/[] \ No newline at end of file From 723e891cbfc48a4ff7ab0cd4a9431e02b40e5dcb Mon Sep 17 00:00:00 2001 From: dakle Date: Tue, 3 Mar 2026 14:39:43 +0100 Subject: [PATCH 3/3] Mention syslog; improve grammar & wording --- iam/siem.adoc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/iam/siem.adoc b/iam/siem.adoc index 05f33c5c..ac10e694 100644 --- a/iam/siem.adoc +++ b/iam/siem.adoc @@ -37,8 +37,8 @@ The historical data kept by SIEM for the future reference enable analysts to tra == Why use a SIEM -The traditional perimeter security is based on network protection; -firewalls typically filtered traffic based on IP addresses and ports, internal resources were available only from within the corporate LAN or through VPN, etc. +The traditional perimeter security was based on network protection; +firewalls typically filtered traffic based on IP addresses and ports, internal resources were available only from within the corporate LAN or through a VPN, etc. Modern attacks target the identity layer: using compromised credentials and insider misuse, they bypass the network controls entirely. Consequently, organizations moved on to rely on identity‑based perimeters where authorization decisions are tied to user identities rather than static network locations. @@ -49,8 +49,8 @@ Storing historical data enables security teams to investigate past incidents, re == How can SIEM work with midPoint -MidPoint emits to the xref:/midpoint/reference/security/audit/[audit log] detailed events for provisioning actions, task executions, policy evaluations, etc. -A SIEM can be configured to pull these logs and capture every identity‑related change. +MidPoint uses xref:/midpoint/reference/security/audit/[audit log] to track details about events like provisioning actions, task executions, policy evaluations, etc. +You can configure midPoint xref:/midpoint/reference/diag/logging/syslog-logging/[syslog] to transport audit log messages to a SIEM so that it can capture every identity‑related change for further processing. Once ingested, the SIEM parses the midPoint logs to extract key attributes like user IDs, operation types, affected resources, and so on. These structured data become the basis for correlation with other security events, such as VPN logins or that someone passed through the building door in the middle of the night (and then logged into midPoint under a different identity). @@ -75,13 +75,14 @@ to ensure the overall setup meets the security requirements. == Conclusion Integrating a SIEM with midPoint transforms raw identity‑governance data into a proactive security capability. -By aggregating logs, correlating events across the stack, and automating remediation through midPoint API, you can shift from a reactive incident handling to predictive identity‑centric modus operandi. +By aggregating logs, correlating events across the stack, and automating remediation through midPoint API, you can shift from a reactive incident handling to predictive identity‑centric incident prevention. As the threat landscape moves away from network breaches to identity theft and abuse, a SIEM integration becomes essential for maintaining robust security hygiene. == See also * xref:/midpoint/security/[] * xref:/midpoint/features/current/audit-trail/[] +* xref:/midpoint/reference/diag/logging/syslog-logging/[] * xref:/midpoint/features/current/case-management/[] * xref:/midpoint/features/current/compliance-dashboard/[] * xref:/midpoint/features/current/correlation/[]