RSA ID Plus Admin Logs Connector - RSA Ready Implementation Guide
4 months ago

Certified: October 27, 2025

  

Solution Summary

The RSA ID Plus Admin Connector delivers enhanced oversight and protection by continuously tracking administrator actions and event logs within the customer’s ID Plus environment. It identifies and reports anomalies, lockouts, or suspicious behavior, automatically alerting security teams for rapid response. This proactive monitoring helps organizations strengthen operational security, support compliance requirements, and ensure the integrity of administrative access across the ID Plus platform.

   

Use Case

The RSA ID Plus Admin Connector can be used to ingest RSA Admin logs, analyze, and generate alerts or incidents for any suspicious activity, such as an administrator getting locked out due to multiple incorrect password attempts.

    

Prerequisites

  • Cloud Access Service (CAS) tenant with Super Administrator account
  • Microsoft Azure tenant with the following services enabled/accessible:
    • Log Analytics workspace
    • Microsoft Sentinel
    • Defender Portal

      

Configuration Summary

Follow the steps in each of the subsequent sections to configure the RSA ID Plus Admin connector.

Configure CAS

You can use the OAuth client API to generate a Base64 URL-encoded JWT token for the connection.

  

OAuth Clients

  1. Sign in to Cloud Administration Console.
  2. Navigate to Platform > API Access Management and click Add API Client under OAuth Clients.
  3. Provide Client type as Admin API for the created OAuth client and click Next Step.
  4. Provide a value for Access Token Lifetime, which cannot exceed 24 hours(1440 minutes), and click Generate Key Pair.
  5. Click Autofill and copy the private key.
  6. Click download and finish.
  7. Click Next Step.
  8. Select the permissions as shown in the following screenshot.
  9. Click Save and Finish.
  10. Generate a JWT Token by referring to the steps mentioned in Authentication for the Cloud Administration APIs.
  11. Copy the created token to be used when configuring the connector for Sentinel.
  12. Copy the hostname from the CAS tenant URL, which will be used in the Sentinel connector.

  

Configure Azure

  1. Log in to the Azure portal.
  2. Click Resource groups.
  3. Create a resource group.
  4. Go to the homepage, select Microsoft Sentinel, and click Create.
  5. Click Create a new workspace.
  6. Provide a name to your Log Analytics workspace and click Review+Create, and then click Create.
  7. Go to the homepage, select Microsoft Sentinel, and click Create.
  8. Select the Log Analytics workspace created before to add it to Sentinel.
  9. On the Azure homepage, select Sentinel.
  10. Select the created Sentinel workspace and select the option of redirecting to Microsoft Defender.
  11. Go to Content Management > Content hub and search for “RSA ID Plus Admin Logs Connector”.
  12. Select the connector and click Install.
  13. Once all the components are installed, click Manage.
  14. Click the connector.
  15. Click the Open Connector page.
  16. On the resulting form, provide the following values and click Connect.
    1. Admin API URL: https://<tenantName>.access.securid.com/AdminInterface/restapi/v1/adminlog/exportlogs.
    2. JWT Token: The base64URL encoded JWT Token that was created using the access key.
  17. After the connection is successful, perform the following steps to view the ingested logs.
    1. Go to the Azure homepage > Microsoft Sentinel and select the created Sentinel workspace.
    2. In the left pane, click Logs.
    3. Type in the query name “RSAIDPlus_AdminLogs_CL” and click Run.

  

Analytical Rule

The RSA ID Plus Admin Logs Connector comes with a predefined template of an analytical rule, which users can use to create alerts or incidents in the event of an admin being locked out.

  

Analytical Rule Using the Template

The RSA ID Plus -Locked Administrator Account Detected rule can be used to detect if a CAS administrator account has been locked.

  1. On the Defender portal, go to Microsoft Sentinel > Configuration > Analytics > Rule templates and search for RSA. 
  2. Select the rule template named RSA ID Plus -Locked Administrator Account Detected and click the ellipsis symbol, and click Create rule.
  3. Keep the default values on the General tab and click Next: Set rule logic.
  4. Keep the values under Entity mapping, custom details, and Alert Details as default.
  5. Provide the values for Query scheduling as per the requirement. We used the values shown in the following screenshot to avoid duplicate alerts.
  6. Provide the condition for alert generation as per the requirement.
  7. Click Next: Incident Settings.
  8. Make sure the first option is enabled.
  9. Change other options as per requirement and click Next: Automated Response.
  10. Click Next: Review+create.
  11. Click Save.

      

Playbook (Optional)

Customized messages can be sent through email to the recipients of choice.

  1. On the Defender portal, go to Microsoft Sentinel > Configuration >Automation > Playbook templates and select the playbook template named “SendEmailonRSAIDPlusAlert”.
  2. Click Create playbook at the bottom of the playbook description (right pane of the previous screenshot).
  3. Verify the resource group and click Next: Parameters.
  4. Enter the SenderEmailId and ReceiverEmailId, and click Next: Connections.
  5. Click Next: Review and create.
  6. Review the details and click Create Playbook.
  7. After successful deployment, the playbook entry appears under the Active Playbook tab.
  8. Click the created playbook and click Edit.
  9. Make sure the connections are correct.
  10. Go to Analytics > Active rules, select the analytical rule, and click Edit.
  11. Go to the Automated Response tab and click Add new.
  12. Fill the form as shown in the following screenshot. 
  13. Click Apply.
  14. Click Next: Review + create.
  15. Click Save.

  

Known Issues 

Refresh Token 

RSA requires the token to be refreshed after a specified interval, up to a maximum of 24 hours. Automatic token refresh is outside the scope of this guide because, at the time of publication, Azure does not support implicit token renewal.
After the token expires, administrators must manually generate a new Base64URL-encoded JWT token, disconnect the connector, update the token, and reconnect. This process can also be automated using the REST API. For more information, refer to the relevant Microsoft documentation.

Related Articles

Trending Articles

Don't see what you're looking for?