7 Replies Latest reply on Nov 4, 2014 12:26 PM by stew

    siem event log pci compliance

    dendin

      Hi,

       

      I'm a new SIEM user. I have a question, please.

       

      We have ESM 9.4.0 and I need to generate administrator activity report for PCI 10.2.2 compliance. Can someone please pointing to the right directions?

       

      Thank you for your attention.

       

      Regards,

      Terry

        • 2. Re: siem event log pci compliance
          Peter M

          Moved to SIEM - Moderator

          • 3. Re: siem event log pci compliance
            ddd671

            I'm not sure this is the answer as we are not required to follow PCI in my business, but there are a number of pre-built queries in the compliance section.  One of them may suit.  You can view them by selecting the view:

             

            compliance-PCI-<pick-em>

            • 4. Re: siem event log pci compliance
              dendin

              Hi,

               

              Thank you for the response.

               

              Here is what I did to get the PCI data in CSV format:

               

              System Properties -> Reports

              Add a new report with the following criteria

               

                        5. Choose a predefined query to include with this report

                                      PCI – Administrator Actions (Win)

               

                          6. (Optional)

                                      Devices           PCI Servers

               

              This will provide the Windows server administrator activities on the “top level”. It means you don’t actually getting details of what the administrator’s action taken. For example, one of the entries on the report indicated:

               

              Special privileges assigned to new logon.

               

              This is not telling me what privilege was assigned to whom. I checked many other predefined queries and none of them provide details or anywhere I can drilldown getting additional information.

               

              Any ideas?

               

              Thanks,

              Terry

              • 5. Re: siem event log pci compliance
                tpan

                The original event may not have that information included and only includes the line "Special privileges assigned to new logon"

                 

                I don't see the Report Layout that you had mentioned, but are you able to find the original event in the dashboard? If you do find that event, you can click on the menu > Event Drilldown > Events

                 

                If you can find it there and view the list of events, you would be able to see all of the fields that are populated. It may be that a different field has the information you're looking for or the other scenarios might be that the only information you're getting is "Special privileges assigned to new logon"

                 

                If you do see that information in a separate field, we should be able to create a report around that.

                • 6. Re: siem event log pci compliance
                  ddd671

                  Ahh...I think I understand.  I had a similar problem when setting up reporting for FISMA compliance.  I could see the event "A user was added to a security group" but not what user or what group. I came to the conclusion that the data I wanted wasn't parsed from the source log, and therefore the SIEM couldn't report on it.  In our business we ended up running this report from Microsoft SCOM and not the SIEM.

                   

                  -Dave

                  • 7. Re: siem event log pci compliance
                    stew

                    In order to report on "All Actions Taken by an Admin" you first need to identify what that looks like in your source systems.  I would think that some customization needs to be done to get this information in a meaningful way.

                     

                    -Stewart