3 Replies Latest reply on Mar 14, 2016 5:05 PM by rth67

    Tracking user actions in SIEM

    itgfcsys

      We have a very socialized SIEM with a lot of recent activity, is there any way to track what user has created a watchlist, alarm, added a datasource, etc.

        • 1. Re: Tracking user actions in SIEM
          sssyyy

          Don't think so with the current version. I'd love to see SIEM enhances it's own logging capability.

          • 2. Re: Tracking user actions in SIEM
            rbroom

            Here's a thought, though I've not tried it yet.

             

            Create an alarm and specify some of the Health monitor signature IDs that you'd like to monitor.  You can view these if you click the ? in Alarm Settings, and in the Help scroll down to the section on Health Monitor Status.  Click the link to Health Monitor Signature IDs.

             

            This will list some IDs that might cover what you want, such as Device Add (306-18), Rule Change (306-21), User Logon (306-11), Variable Add (306-23), etc.

             

            You then set the alarm to create an event, send email, report, etc.

             

            Does that help?

             

            Ralph

            • 3. Re: Tracking user actions in SIEM
              rth67

              Here are some additional Sig ID's to look at tracking with a report, we create one on a weekly basis:

               

              306-1,306-2,306-4,306-5,306-6,306-7,306-8,306-11,306-15,306-16,306-17,306-18,306 -19,306-20,306-21,36-22,306-23,306-24,306-25,306-28,306-31,306-32,306-34,306-50, 306-51,306-52

               

              306-50010,306-50023,306-50027,306-50034,306-50043,306-50047,306-50054,306-50077, 306-50080,306-50085

               

              In addition, click on your "Local ESM" in your Physical Tree and then Search on Device Type '329' - go through and find the Signature ID's that apply to your environment (different for each install) for things like:

               

              DeviceType ID 329 is for "Triggered Alarms" - so these will depend on if you have the following Alarms created / enabled

               

              DEVICE_NAME is behind on processing data (new SigID for each Device)

              ESM has lost communication with DEVICE_NAME (new SigID for each Device)

              DEVICE_NAME Low Event Count (new SigID for each Device)

              ESM Backup Complete