Configure SIEM Settings

Configure SIEM settings in PMC to send audit event data to an accessible SIEM provider. Events include computer, activity, and authorization requests. Events are sent in the selected format (CEF or ECS).

With our SIEM Integration, we only support a subset of all event types (see the table below).

The following events are logged by Privilege Management:

Event ID Description
100 Process has started with admin rights added to token.
101 Process has been started from the shell context menu with admin rights added to token.
103 Process has started with admin rights dropped from token.
104 Process has been started from the shell context menu with admin rights dropped from token.
106 Process has started with no change to the access token (passive mode).
107 Process has been started from the shell context menu with no change to the access token (passive mode).
109 Process has started with user’s default rights enforced.
110 Process has started from the shell context menu with user’s default rights enforced.
112 Process requires elevated rights to run.
113 Process has started with Custom Token applied.
114 Process has started from the shell context menu with user’s Custom Token applied.
116 Process execution was blocked.
118 Process started in the context of the authorizing user.
119 Process started from the shell menu in the context of the authorizing user.
120 Process execution was canceled by the user.
199 Process execution was blocked, the maximum number of challenge / response failures was exceeded.

Events are queued and sent in batches in one minute intervals. This is not configurable. A folder is created where the batches will be saved. You can open and download the batch file, which stores the event data in JSON format.

PMC supports the following SIEM providers:

  • AWS
  • Splunk
  • Microsoft Sentinel
  • QRadar

There can only be one SIEM tool configured. If you choose to add details for a new SIEM tool, existing settings data will be lost.

Configure AWS S3 Bucket

You must configure the S3 bucket details before you can configure the SIEM integration in PMC. In AWS, set up the bucket and access to the bucket. This includes:

  • Create a bucket. When creating the bucket be sure to note the bucket name and region. You need to enter the information when configuring the settings in PMC.
  • Create an access policy. When creating the access policy, the permissions required for the integration include: PutObject, ListAllMyBuckets, GetBucketAcl, and GetBucketLocation.
  • Add a user. When attaching a user to a policy, be sure to select Programmatic access as the access type and Attach existing policies directly as the permission type. Copy the Access ID and secret access key to a file; you need to enter the details when configuring the settings in PMC.

For more information, please see the following AWS documentation:

Add the AWS S3 Bucket in PMC

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select S3
  4. Enter the details for your storage site:
    • Access Key ID: Enter the value created when you added the user.
    • Secret Access Key: Enter the value created when you added the user.
    • Bucket: Enter the name of the S3 bucket.
    • Region: Select or search for the name of the region where your storage bucket resides.
  5. Select the data format: CEF - Common Event Format or ECS - Elastic Common Schema.
  6. Select Server-Side Encryption to encrypt files sent to the S3 bucket using the default AWS encryption key.
  7. Click Validate Settings to test the connection to your storage site.
  8. Click Save Settings.

If you no longer want the SIEM integration active, click Enable SIEM Integration to turn the feature off.

Add Splunk to PMC

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select Splunk.
  4. Enter the details for your Splunk configuration:
    • Hostname
    • Index
    • Token
  5. Select the data format: CEF - Common Event Format or ECS - Elastic Common Schema.
  6. Click Validate Settings to test the connection to Splunk.
  7. Click Save Settings.

Add Microsoft Sentinel to PMC

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select Sentinel.
  4. Enter the details for your Sentinel configuration:
    • Workspace ID: Enter the Sentinel workspace ID. In Sentinel, the workspace ID is located in this path: Settings > Workspace Settings > Agents Management.
    • Workspace Key: Enter the primary key. In Sentinel, the workspace key is located in this path: Settings > Workspace Settings > Agents Management.
    • Custom Log Table Name: The table is listed under the Custom Logs category in Azure Sentinel. A _CL suffix is automatically appended to the end of the custom log table name. A custom log is created if the table name does not exist.
  5. Select the data format: CEF - Common Event Format or ECS - Elastic Common Schema.
  6. Click Validate Settings to test the connection to Sentinel.
  7. Click Save Settings.

Add QRadar to PM Cloud

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select QRADAR.
  4. Enter the details for your QRadar configuration:
    • Hostname
    • Port
    • Cert
    • Key
  5. Click Validate Settings.
  6. Click Save Changes to confirm and save.