Best Methods to export user login (Successful and failed) activity to external SIEM solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-18-2022 12:12 PM
We have a requirement in which we need to be logging all user login events to an external SIEM solution (LogRhythm). What is the most effective and streamlined method in which to achieve this?
Is the Syslog Probe using the MID server the only option, or can we use an API based approach to pull the specifics events from the Events Table?
Any insight would be greatly appreciated!
- Labels:
-
Event Management

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-18-2022 10:13 PM
not exactly but approach and best practice for sysevent table is in below KB
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0749943
Once you have data into STAGING table - You can use REST API to post/pull this data for SIEM Tool which is LogRhythm in ur case.
Regards
RP

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-19-2022 01:10 PM
HI,
We have implemented a flow designer flow which exports our events in deltas to Splunk which is monitoring system and we use a dashboard in splunk to show this.
Also you can use Security Center or Application insights for this.
Thank you,
Ashutosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-20-2022 09:03 AM
Hi Ashutosh
Thanks for the feedback - Are you able to share any specifics on how you have the flow set up to work?
Cheers,
Connor