External SIEM vendor requires the minimal set of permissions to /core.execute and /core.help
I am working to provide access for a SIEM vendor to connect to my EPO QA and production environments. I am seeking assistance to determine the proper way to configure a specific AD service account with the minimal access permissions within EPO to access the following attributes via their API.
Used by the collector agent to validate a successful authentication to the API.
Used by the collector agent to request event data.
I have the server and port information. I also have two Active Directory Service Accounts that are assigned within EPO. These accounts will be used by the external vendor to authenticate to my EPO environments.
I am reviewing EPO documentation to determine the minimal set of permissions to allow approved access to scan and clean workstations or servers in EPO.
Re: External SIEM vendor requires the minimal set of permissions to /core.execute and /core.help
Permission sets are one thing that require a lot of testing to get them right. They would need permissions to run client tasks, access to the system tree and systems, access to the point product in question also. Test those first with locally logging in under those permissions to see if the desired actions can be performed outside of the api. If so, then try it via api. If that fails, check the audit log to see if there are any entries listed for user does not have access.
Was my reply helpful? If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?