Moved to SIEM - Moderator
I'm not sure this is the answer as we are not required to follow PCI in my business, but there are a number of pre-built queries in the compliance section. One of them may suit. You can view them by selecting the view:
Thank you for the response.
Here is what I did to get the PCI data in CSV format:
System Properties -> Reports
Add a new report with the following criteria
5. Choose a predefined query to include with this report
PCI – Administrator Actions (Win)
Devices PCI Servers
This will provide the Windows server administrator activities on the “top level”. It means you don’t actually getting details of what the administrator’s action taken. For example, one of the entries on the report indicated:
Special privileges assigned to new logon.
This is not telling me what privilege was assigned to whom. I checked many other predefined queries and none of them provide details or anywhere I can drilldown getting additional information.
The original event may not have that information included and only includes the line "Special privileges assigned to new logon"
I don't see the Report Layout that you had mentioned, but are you able to find the original event in the dashboard? If you do find that event, you can click on the menu > Event Drilldown > Events
If you can find it there and view the list of events, you would be able to see all of the fields that are populated. It may be that a different field has the information you're looking for or the other scenarios might be that the only information you're getting is "Special privileges assigned to new logon"
If you do see that information in a separate field, we should be able to create a report around that.
Ahh...I think I understand. I had a similar problem when setting up reporting for FISMA compliance. I could see the event "A user was added to a security group" but not what user or what group. I came to the conclusion that the data I wanted wasn't parsed from the source log, and therefore the SIEM couldn't report on it. In our business we ended up running this report from Microsoft SCOM and not the SIEM.
In order to report on "All Actions Taken by an Admin" you first need to identify what that looks like in your source systems. I would think that some customization needs to be done to get this information in a meaningful way.