Authops

LogZilla App Store application: Authops

Overview

AuthOps provides unified authentication monitoring across all log sources. Authentication events from Cisco, Palo Alto, Linux, Windows, and other vendors are aggregated into a single dashboard with consistent severity levels.

App Function

  • Aggregate authentication events from installed vendor apps
  • Provide unified dashboard for cross-vendor authentication visibility
  • Assign severity levels based on Event Type and Auth Success
  • Alert on authentication anomalies and security events

Vendor Documentation

This is a LogZilla aggregate app. No external vendor documentation applies.

Device Configuration

No device configuration is required. AuthOps automatically processes events from any app that sets Event Class containing Auth.

Incoming Log Format

AuthOps processes events tagged by vendor apps. It does not parse raw log formats directly. Vendor apps set:

  • Event Type: Session, Privilege Escalation, Account Management
  • Auth Success: true/false for login success/failure

Parsed Metadata Fields

Tag NameExampleDescription
AuthOps Event1Rollup tag for authentication events
AuthOps Severity LevelHighAggregated severity based on Event Type

Severity Level Assignment

SeverityCondition
CriticalPrivilege Escalation, Account Management
HighFailed Authentication (Auth Success: false)
MediumSession without auth status
LowSuccessful Authentication (Auth Success: true)

Log Examples

SSH Login Success

text
sshd[1234]: Accepted publickey for admin from 192.168.1.100 port 22

SSH Login Failure

text
sshd[5678]: Failed password for invalid user root from 10.0.0.1 port 22

Privilege Escalation

text
sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/bash

Dashboard

The AuthOps dashboard provides:

  • Key metrics: Total events, failed auth, privilege escalation, account mgmt
  • Unique users and hosts counts
  • EPS gauge and time chart for rate monitoring
  • Event Type distribution over time
  • Top users, hosts, and source IPs
  • Severity distribution and MITRE techniques
  • Live event stream with auth context

Triggers

TriggerDescription
AuthOps: Privilege EscalationSudo/su/dzdo privilege escalation
AuthOps: Account ManagementUser/group account changes
AuthOps: Failed AuthenticationAuthentication failure detected
AuthOps: Session EventSession start/end events
Authops | LogZilla Documentation