Authops

Overview

AuthOps provides unified authentication monitoring across all log sources. Authentication events from Cisco, Palo Alto, Linux, Windows, and other vendors are aggregated into a single dashboard with consistent severity levels.

App Function

• Aggregate authentication events from installed vendor apps
• Provide unified dashboard for cross-vendor authentication visibility
• Assign severity levels based on Event Type and Auth Success
• Alert on authentication anomalies and security events

Vendor Documentation

This is a LogZilla aggregate app. No external vendor documentation applies.

Device Configuration

No device configuration is required. AuthOps automatically processes events from any app that sets Event Class containing Auth.

Incoming Log Format

AuthOps processes events tagged by vendor apps. It does not parse raw log formats directly. Vendor apps set:

• Event Type: Session, Privilege Escalation, Account Management
• Auth Success: true/false for login success/failure

Parsed Metadata Fields

Severity Level Assignment

Log Examples

SSH Login Success

text
Wrap: OnCopyFullscreen
sshd[1234]: Accepted publickey for admin from 192.168.1.100 port 22

SSH Login Failure

text
Wrap: OnCopyFullscreen
sshd[5678]: Failed password for invalid user root from 10.0.0.1 port 22

Privilege Escalation

text
Wrap: OnCopyFullscreen
sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/bin/bash

Dashboard

The AuthOps dashboard provides:

• Key metrics: Total events, failed auth, privilege escalation, account mgmt
• Unique users and hosts counts
• EPS gauge and time chart for rate monitoring
• Event Type distribution over time
• Top users, hosts, and source IPs
• Severity distribution and MITRE techniques
• Live event stream with auth context

Triggers