Configure SIEM Settings
Configure SIEM settings in PMC to send audit event data to an accessible SIEM provider. Events include computer, activity, and authorization requests. Events are sent in the selected format (CEF or ECS).
With our SIEM Integration, we only support a subset of all event types (see the table below).
The following events are logged by Privilege Management:
|100||Process has started with admin rights added to token.|
|101||Process has been started from the shell context menu with admin rights added to token.|
|103||Process has started with admin rights dropped from token.|
|104||Process has been started from the shell context menu with admin rights dropped from token.|
|106||Process has started with no change to the access token (passive mode).|
|107||Process has been started from the shell context menu with no change to the access token (passive mode).|
|109||Process has started with user’s default rights enforced.|
|110||Process has started from the shell context menu with user’s default rights enforced.|
|112||Process requires elevated rights to run.|
|113||Process has started with Custom Token applied.|
|114||Process has started from the shell context menu with user’s Custom Token applied.|
|116||Process execution was blocked.|
|118||Process started in the context of the authorizing user.|
|119||Process started from the shell menu in the context of the authorizing user.|
|120||Process execution was canceled by the user.|
|199||Process execution was blocked, the maximum number of challenge / response failures was exceeded.|
Events are queued and sent in batches in one minute intervals. This is not configurable. A folder is created where the batches will be saved. You can open and download the batch file, which stores the event data in JSON format.
PMC supports the following SIEM providers:
There can only be one SIEM tool configured. If you choose to add details for a new SIEM tool, existing settings data will be lost.