cancel
Showing results for 
Search instead for 
Did you mean: 

Tracking user actions in SIEM

We have a very socialized SIEM with a lot of recent activity, is there any way to track what user has created a watchlist, alarm, added a datasource, etc.

3 Replies
sssyyy
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Tracking user actions in SIEM

Don't think so with the current version. I'd love to see SIEM enhances it's own logging capability.

rbroom
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Tracking user actions in SIEM

Here's a thought, though I've not tried it yet.

Create an alarm and specify some of the Health monitor signature IDs that you'd like to monitor.  You can view these if you click the ? in Alarm Settings, and in the Help scroll down to the section on Health Monitor Status.  Click the link to Health Monitor Signature IDs.

This will list some IDs that might cover what you want, such as Device Add (306-18), Rule Change (306-21), User Logon (306-11), Variable Add (306-23), etc.

You then set the alarm to create an event, send email, report, etc.

Does that help?

Ralph

rth67
Level 12
Report Inappropriate Content
Message 4 of 4

Re: Tracking user actions in SIEM

Here are some additional Sig ID's to look at tracking with a report, we create one on a weekly basis:

306-1,306-2,306-4,306-5,306-6,306-7,306-8,306-11,306-15,306-16,306-17,306-18,306-19,306-20,306-21,36-22,306-23,306-24,306-25,306-28,306-31,306-32,306-34,306-50,306-51,306-52

306-50010,306-50023,306-50027,306-50034,306-50043,306-50047,306-50054,306-50077,306-50080,306-50085

In addition, click on your "Local ESM" in your Physical Tree and then Search on Device Type '329' - go through and find the Signature ID's that apply to your environment (different for each install) for things like:

DeviceType ID 329 is for "Triggered Alarms" - so these will depend on if you have the following Alarms created / enabled

DEVICE_NAME is behind on processing data (new SigID for each Device)

ESM has lost communication with DEVICE_NAME (new SigID for each Device)

DEVICE_NAME Low Event Count (new SigID for each Device)

ESM Backup Complete