Ingesting Security Audit Trail via API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 02:00 AM
Hello all,
I am interested in ingesting security related audit trail activity events into my SIEM solution.
from the logging and monitoring section on the security-best-practice.pdf document,
I understand there are generally two ways to do so -
- Using Syslog Probe via a MID Server (which requires an additional MID server configuration on client side).
- Using the Table API and pulling records from requested tables such as event logs from the sysevent table, and audited records changes from the sys_audit table.
I prefer to avoid an additional configuration of a MID server, so I am trying second method, however, I am not sure what is the best practice to do so:
The sys_audit table is pretty dull in terms of the data stored on those records:
For example, if a user Bob updates an incident severity, or locks an account of user Alice, the sys_audit record would mention that Bob updated the severity or locked a user account, but it wouldn't include what is the incident number of the updated incident, nor the username or user ID of Alice. For that we would need to use the referenced Document key and query the referenced audited table (incident / sys_user ) as well to fetch the incident /target user details for enriching the audited activity with the relevant target record that was modified.
Is there any idea what is the best practice to so, rather than making multiple API requests for enrichment ?
Perhaps there is a dedicated API endpoint for fetch audit trail activity,
or maybe the sysevent table covers all audited activity and thus there is no added value in querying sys_audit directly ?
