log monitoring guidelines 03 21-2011

1. RSA® Authentication Manager 5.2/6.1 Log Monitoring Guidelines
The following document describes audit log messages that will allow your organization to monitor your
RSA® Authentication Manager 5.2 and 6.1 systems for unusual authentication activity. You should also
examine older or archived logs to establish a baseline frequency for these events before proceeding. In
addition, some actions like provisioning new tokens or changing PIN policy will increase the frequency
of these events.
The number included in parentheses next to the relevant log messages is a unique identifier that can
be used to build custom queries.
1. Bad PIN, Good Tokencode Authentications
Typical cause:
An end user accidently enters the wrong PIN during an authentication attempt.
Why you should monitor this message:
Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the
PINs for an end user’s RSA SecurID® tokens.
Relevant log messages:
Good Tokencode/Bad PIN Detected (1010)
2. Passcode Reuse Attempts
Typical cause:
An end user accidently sends the same passcode for two separate authentication attempts.
Why you should monitor this message:
This message may indicate that an attacker is trying to reuse a tokencode in a replay attack.
Relevant log messages:
ACCESS DENIED, multiple auths (1141)
PASSCODE REUSE ATTACK Detected (149)
3. Failed Authentication Attempts
Typical cause:
An end user accidently enters the wrong passcode during an authentication attempt.
Why you should monitor this message:
Unusually frequent occurrences of this message may indicate that an attacker is trying to guess the
passcode for your RSA SecurID tokens.
RSA The Security Division of EMC March 18, 2011 (Version 1.0)

2. Relevant log messages:
ACCESS DENIED, PASSCODE Incorrect (1008)
ACCESS DENIED, Token ToD Bad (1001)
ACCESS DENIED, Next Tokencode Bad (1000)
4. Next Tokencode Attempts
Typical cause:
The token clock is different than what is expected by the server. (e.g., a software token with an
inaccurate clock or the hardware token time has drifted)
Why you should monitor this message:
It is possible that this message indicates that an attacker is trying to submit out-of-date passcodes.
Relevant log messages:
Next Tokencode On (144)
Next Tokencode Requested (1002)
5. Cleared PINs
Typical cause:
A user has forgotten their PIN and the PIN is cleared after the Help Desk Administrator verifies the
end user’s identity.
Why you should monitor this message:
This message may indicate that an attacker is attempting a social engineering attack by convincing
a Help Desk Administrator to remove the PIN.
Relevant log messages:
PIN cleared (117)
6. Token Disabled
Typical cause:
An end user has entered the wrong passcode multiple sequential times.
Why you should monitor this message:
A higher frequency of this message may indicate that an attacker is trying to guess the RSA SecurID
token passcode.
RSA The Security Division of EMC Page 2

3. Relevant log messages:
Token Disabled, Suspect Stolen (143)
Token Disabled, Many Failures (145)
ACCESS DENIED, Token Disabled (1004)
Note: If you utilize Cross Realm, consult the Admin Guide Troubleshooting section for similar Cross
Realm messages.
RSA The Security Division of EMC Page 3