1. RSA® Authentication Manager 7.1 Log Monitoring Guidelines
The following document describes audit log messages that will allow your organization to monitor your
RSA®Authentication Manager 7.1 systems for unusual authentication activities such as passcode reuse,
next tokencode, etc. You should also examine older or archived logs to establish a baseline frequency
for these events before proceeding. In addition, some actions like provisioning new tokens or changing
PIN policy will increase the frequency of these events.
The events that should be monitored are broken into sections based on which report should be used to
monitor them.
Authentication Failure Event Report
You can generate a customized “Login Failure Event” Authentication Activity Report for end user
authentication events. To generate this report, in addition to your usual customization choose the
following options and values:
1. Choose “Login Event” for “Activity Key” option
2. Choose “False” for “Display Successful Actions”
3. Choose “True” for “Display Failed Actions”
4. Choose “True” for “Display Warned Actions”
Use this report to monitor the critical authentication events described below.
1. Bad PIN, Good Tokencode Authentication Event
Typical cause:
An end user accidently enters the wrong PIN during an authentication attempt.
Why you should monitor this message:
Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the
PINs for the end user’s RSA SecurID® tokens.
Relevant log messages:
Bad PIN, but good tokencode detected for token serial number
2. Bad PIN, Previous Tokencode Authentication Event
Typical cause:
An end user accidently enters the wrong PIN during an authentication attempt. In addition to this,
the end user also enters a previous token code
RSA The Security Division of EMC March 18, 2011 (Version 1.0)
2. Why you should monitor this message:
Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the
PINs for and end user’s RSA SecurID tokens and the attacker has a valid but old tokencode.
Relevant log messages:
Bad PIN, but previous tokencode detected for token serial number
3. Passcode Reuse Attempt Event
Typical cause:
An end user accidently sends the same passcode for two separate authentication attempts.
Why you should monitor this message:
This message may indicate that an attacker is trying to reuse a tokencode in a replay attack.
Relevant log messages:
Passcode reuse or previous token code detected for user
4. Good PIN, Bad Tokencode Authentication Event
Typical cause:
An end user has entered a valid PIN but accidently enters the wrong tokencode during an
authentication attempt.
Why you should monitor this message:
Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the
tokencode for an end user’s RSA SecurID tokens.
Relevant log messages:
Bad tokencode, but good PIN detected for token serial number
5. Failed Authentication Attempt Event
Typical cause:
An end user accidently enters the wrong passcode during an authentication attempt.
Why you should monitor this message:
Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the
passcode for an end user’s RSA SecurID tokens.
RSA The Security Division of EMC Page 2
3. Relevant log messages:
“User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user
belongs to security domain <domain name>” in the Description column of the activity report and
“Authentication Method Failed” in the Reason column
6. Next Tokencode Attempt Event
Typical cause:
The token clock is different than what is expected by the server. (e.g. a software token with an
inaccurate clock or the hardware token time has drifted)
Why you should monitor this message:
It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes.
Relevant log messages:
Next tokencode mode activated for token serial number
Lockout Authentication Failure Event Report
You can generate a customized “Lockout Failure Event” Authentication Activity Report for end user
authentication lockout events. To generate this report, in addition to your usual customization, choose
the following options and values:
1. Choose “Lockout Event” for “Activity Key” option
2. Choose “False” for “Display Successful Actions”
3. Choose “True” for “Display Failed Actions”
4. Choose “True” for “Display Warned Actions”
User Locked Out Event
Typical cause:
An end user has entered the wrong passcode multiple sequential times and is now locked out.
Why you should monitor this message:
A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID
token passcode.
Relevant log messages:
“User <user id> attempted to authenticate using authenticator “SecurID_Native”. The user
belongs to security domain <domain name>” in the Description column of the activity report and
“Principal locked out” in the Reason column
RSA The Security Division of EMC Page 3
4. Administrator Activity Report
You can generate a customized “Clear PIN Event” Administrative Activity Report to track how
frequently PINs are being cleared. To generate this report, choose “Administrator Activity” report
template. In addition to your usual customization, choose “Clear Token PIN for “Activity Key” option.
Clear Pin Event
Typical cause:
An end user has forgotten the end user’s PIN and the PIN is cleared after the Help Desk
Administrator verifies the user’s identity.
Why you should monitor this message:
This message may indicate that an attacker is attempting a social engineering attack by convincing
a Help Desk Administrator to clear the PIN.
Relevant log messages:
Clear Token Pin
RSA The Security Division of EMC Page 4