SIEM integration for Activation Codes and Retrieved Passwords
Please add the ability to log ship Activation Code and Retrieved Password logging to a SIEM. Our Cyber Security Ops team needs the ability to see these events in the SIEM console, without having to view the logging in the RMS console or SQL. Alternatively, if this product could log elevation events within the endpoint event logs, then this would be even easier for our SIEM to collect.
| Product | Privilege Manager |
-
-
-
- +4
As a first step, I would like to see it on the server side (Recast Server -> Syslog) which should be easy because the info is already there and being written to SQL. Having it also write to the windows event log or a text file would be nice for some people because then you could maybe include failed attempts (which at least you can't see in the GUI on the server, haven't checked the DB to see if they are there). The people that would want the event log/text file probably already have some client on the machine that can pretty easily be configured to pick up the logs and send them.
We are looking a way to implement this in the future. Building a capability to send the log directly to SIEM environment would require more work to support major SIEM environments. Allowing to create syslog file that customer can send to SIEM environment is one way to solve, but then requires customer actions.
What SIEM environments you feel should be supported or would it be enough to provide syslog format exports that can be manually then send to SIEM environments?
For us, sending in syslog format would be all that would be needed and shouldn't be that hard.