• Some extra information: We have security event monitoring in place which reads events from a logfile, sql table or windows event log. Several scenario's are configured based on these events which will... fire an incident. For example: Account created and deleted within 24h Account added and removed from group within 24h User created and logon within 5 minutes User created or activated and logged from same IP Activated user locked or disabled more than 30 days Multiple failed logon from the same user in 2 minutes Multiple failed logon from the same IP in 5 minutes Multiple failed logon from the same IP in 24 hours Multiple failed logon from many IP on the same account in 5 minutes Multiple failed logon from many IP on the same account in 24 hours User changed more than 2 times within 24h Manual user management action outside busines shours Some events we can take from the licenceserver log. But there is no way to get user administration events. A solution can be that SBM generates an audit log where all user/group/rights administration activity is logged. It can also be logged in the windows event log. More

Recent Tweets