Best Methods to export user login (Successful and failed) activity to external SIEM solution

Connor18
Kilo Contributor

‎07-18-2022 12:12 PM

We have a requirement in which we need to be logging all user login events to an external SIEM solution (LogRhythm). What is the most effective and streamlined method in which to achieve this?

Is the Syslog Probe using the MID server the only option, or can we use an API based approach to pull the specifics events from the Events Table?

Any insight would be greatly appreciated!

Labels:
0 Helpfuls
  • 711 Views
3 REPLIES 3

Rahul Priyadars
Tera Sage
Tera Sage

‎07-18-2022 10:13 PM

not exactly but approach and best practice for sysevent table is in below KB

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0749943

Once you have data into STAGING table - You can use REST API to post/pull this data for SIEM Tool which is LogRhythm in ur case.

Regards

RP

Ashutosh Munot1
Kilo Patron
Kilo Patron

‎07-19-2022 01:10 PM

HI,

We have implemented a flow designer flow which exports our events in deltas to Splunk which is monitoring system and we use a dashboard in splunk to show this.


Also you can use Security Center or Application insights for this.

 

Thank you,
Ashutosh

0 Helpfuls

Connor18
Kilo Contributor
In response to Ashutosh Munot1

‎07-20-2022 09:03 AM

Hi Ashutosh 

 

Thanks for the feedback - Are you able to share any specifics on how you have the flow set up to work?

 

Cheers, 

Connor

0 Helpfuls