Does Security Center use sys_user Audit data

Geoff_T · ‎08-07-2024

I am reviewing audit data for sys_user table. Are there any fields that the Security Center pulls from sys_audit related to user table like last_login_time or last_login_device for example; wondering impact if any in the event auditing was excluded for these fields?

Thanks

-O- · ‎08-07-2024

OOB, unless something changed in Xanadu or by some plug-in, sys_user is not audited.

View solution in original post

-O- · ‎08-07-2024

Sorry for the rumbling, not really related, but the main idea idea I wanted to convey is that: I doubt it uses any sys_user audit data since it is not there OOB, plus Security Center is more about settings then about analyzing data, audited or not.

-O- · ‎08-07-2024

Details/useful documents about auditing tables: KB0685670, Enabling inclusion list auditing for a table, Including a table field in auditing (inclusion listing), Excluding a field from being audited (exclusion listing).

Satishkumar B · ‎08-07-2024

Hi @Geoff_T The `sys_audit` table tracks changes to fields with auditing enabled, but it does not include fields such as `last_login_time` or `last_login_device` by default. Excluding these fields from auditing may impact the ability to monitor user login activities and security. To track these specific fields, custom configurations or scripts would be required.

please mark my response is helpful and accept the solution if it helps

-O- · ‎08-07-2024

It seems like field last_login_device is not active by default so it is not audited, but if auditing of the table is enabled and it is not explicitly excluded, or is not whitelisted, last_login_time will be audited.
And - of course - if one enables field last_login_device, that one will be audited too.