Best Methods to export user login (Successful and failed) activity to external SIEM solution

Connor18
Kilo Contributor

We have a requirement in which we need to be logging all user login events to an external SIEM solution (LogRhythm). What is the most effective and streamlined method in which to achieve this?

Is the Syslog Probe using the MID server the only option, or can we use an API based approach to pull the specifics events from the Events Table?

Any insight would be greatly appreciated!

3 REPLIES 3

Rahul Priyadars
Giga Sage
Giga Sage

not exactly but approach and best practice for sysevent table is in below KB

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0749943

Once you have data into STAGING table - You can use REST API to post/pull this data for SIEM Tool which is LogRhythm in ur case.

Regards

RP

Ashutosh Munot1
Kilo Patron
Kilo Patron

HI,

We have implemented a flow designer flow which exports our events in deltas to Splunk which is monitoring system and we use a dashboard in splunk to show this.


Also you can use Security Center or Application insights for this.

 

Thank you,
Ashutosh

Hi Ashutosh 

 

Thanks for the feedback - Are you able to share any specifics on how you have the flow set up to work?

 

Cheers, 

Connor