AnsweredAssumed Answered

Anyone doing any automated review of activity logs?

Question asked by derekv on Jan 3, 2019

Per an old question on here (User Activity through Qualys API ), Qualys updated the api to expose the activity logs. 

 

Anyone using the api to route this data to a SIEM or dropping it to local disk and running scripts on it to review activity logs? If so, what kind of monitors/checks/alerts are you doing?

 

Just thinking off the top of my head, I think the following would be interesting to put monitors around:

-Odd login times

-Bulk deletes

-Bulk edits of AGs

-Bulk uninstalls

-Bulk purges

 

Just wanted to start a discussion and see if anyone else is doing this. Thinking about putting some time towards doing this and just curious if anyone else has already gone this path and had ideas they could share.

 

Thank you!

D

Outcomes