Security Information and Event Management (SIEM) systems enable the collection and analysis of data on user activity, system access, and cybersecurity events to detect threats and respond to incidents in real time. Identity and Access Management (IAM) systems, in turn, provide insights into user activity. In this blog, you’ll learn how Keycloak can support your SIEM system.
In the Report on the State of Cybersecurity in Poland for 2023 prepared by CSIRT GOV, it was indicated that among the threats persisting in the Polish cyberspace in 2023, which had a significant impact on risk assessment, social engineering attacks and brute-force attacks were particularly notable. Social engineering attacks involve manipulating users to gain unauthorized access to systems, while brute-force attacks rely on automatically attempting various password combinations to break security measures.
Proper identity management and log monitoring are key elements in protecting against such attacks. This is why integrating Keycloak with a SIEM system allows organizations to detect threats more effectively and respond to them immediately.
Every organization using a SIEM system aims to detect as many threats as possible and respond to incidents as quickly as possible. Information about who attempted to access systems, from where, and when can be crucial in identifying attacks and unauthorized login attempts. This is where Keycloak—a popular open-source IAM platform—can significantly enhance the SIEM ecosystem by providing valuable data on authentication, authorization, and session management processes.
Keycloak, developed by the Red Hat community, offers comprehensive solutions for authenticating and authorizing users in web applications, mobile apps, and backend services. We’ve covered it in detail https://inero-software.com/keycloak-services/
Keycloak can provide data on:
- Login attempts – both successful and failed, along with information about the originating IP address.
- Forced password resets and changes in access policies – allowing for monitoring of potential account takeover attempts.
- User sessions – including unusual logins from new locations or devices.
- Detected threats, such as suspicious multiple login attempts (e.g., brute-force attacks, which involve cracking passwords or cryptographic keys by trying all possible combinations).
The SIEM system, in turn, can analyze this data and correlate it with other events, such as:
- Login attempts from unusual locations linked to suspicious network activity.
- Multiple failed login attempts from a single IP address – a sign of a brute-force attack.
- Sudden changes in user privileges associated with suspicious system access.
An example of effective integration can be seen in a situation where a user repeatedly enters an incorrect password within a short period. Keycloak logs this as suspicious activity. A SIEM system can then correlate this data with login attempts from different locations and take action, such as temporarily blocking the account or enforcing additional authentication.
How Do Keycloak and SIEM Work Together?
Keycloak and Security Information and Event Management (SIEM) systems serve different purposes in identity management and IT security, but they complement each other perfectly.
Feature | SIEM (Security Information and Event Management) | IAM (Identity and Access Management – Keycloak) |
| Main Function | Monitoring and analyzing security events | Managing user identities and access |
| Scope of Operation | Log collection, incident analysis, threat detection | Authentication, authorization, access control |
| Types of Data | System logs, network traffic, security alerts | User sessions, authentication logs, authorization requests |
| Mode of Operation | Aggregation and correlation of events from multiple sources | Verification of user identities and permissions |
| Primary Uses | Anomaly detection, incident response, compliance | Single Sign-On (SSO), identity federation, MFA |
| Examples of Threats | DDoS attacks, malware, privilege escalation | Brute-force attacks, account takeover, privilege misuse |
| Response to Threats | Alert generation, automatic blocking, reporting | Account blocking, enforcing MFA, session management |
| Integration with Other Systems | Yes – collects logs from SIEM systems, IDS, firewalls | Yes – integrates with LDAP, AD, databases, SIEM |
How to Implement Keycloak?
Integrating Keycloak with a SIEM system enhances IT security by providing additional information about users and their activities. This allows organizations to detect threats more effectively and respond to incidents more quickly.
If you’re wondering how to implement and configure Keycloak for your organization, be sure to check out these articles:
- Hands-On Keycloak SSO: From Setup to Integration
- Keycloak Integration Guide: Securing Java Spring Endpoints with Keycloak
These resources provide practical guidance on configuring and integrating Keycloak with various systems. Importantly, one of Keycloak’s key features is its ability to integrate with Lightweight Directory Access Protocol (LDAP) directories, which we covered in detail here: Exporting accounts to federated realms: A guide to Keycloak and LDAP Integration
There are many SIEM solutions available on the market, so it’s worth conducting a security audit within your organization before making a decision. Identifying potential vulnerabilities will help guide the selection and implementation of an appropriate incident management system, enhanced with Keycloak integration, to better monitor threats and strengthen data protection across your organization.