Configure SIEM Settings
Configure SIEM settings to send audit event data to an accessible SIEM provider. EPM supports the following SIEM providers:
There can only be one SIEM tool configured. If you choose to add details for a new SIEM tool, existing settings data will be lost.
Events are queued and sent in batches in one-minute intervals. This is not configurable. A folder is created where the batches are saved. You can open and download the batch file, which stores the event data in JSON format.
Starting in EPM 23.1, the ECS mappings are updated for SIEM integrations.
If you previously configured SIEM settings and selected the ECS format, then there are two ECS format menu items: ECS - Elastic Common Schema and ECS - Elastic Common Schema (Deprecated). To update to the new ECS schema, select ECS - Elastic Common Schema, and then click Validate Settings.
For a list of supported events in 23.1 and later, see PM Cloud ECS Event Reference.
Event Types
Events include computer, activity, and authorization requests. Events are sent in the selected format (CIM or ECS).
For SIEM integrations using the CIM format or ECS - Elastic Common Schema (Deprecated), we only support a subset of all event types (see the table below).
The following events are logged by Endpoint Privilege Management:
| Event ID | Description |
|---|---|
| 100 | Process has started with admin rights added to token. |
| 101 | Process has been started from the shell context menu with admin rights added to token. |
| 103 | Process has started with admin rights dropped from token. |
| 104 | Process has been started from the shell context menu with admin rights dropped from token. |
| 106 | Process has started with no change to the access token (passive mode). |
| 107 | Process has been started from the shell context menu with no change to the access token (passive mode). |
| 109 | Process has started with user’s default rights enforced. |
| 110 | Process has started from the shell context menu with user’s default rights enforced. |
| 112 | Process requires elevated rights to run. |
| 113 | Process has started with Custom Token applied. |
| 114 | Process has started from the shell context menu with user’s Custom Token applied. |
| 116 | Process execution was blocked. |
| 118 | Process started in the context of the authorizing user. |
| 119 | Process started from the shell menu in the context of the authorizing user. |
| 120 | Process execution was canceled by the user. |
| 199 | Process execution was blocked, the maximum number of challenge / response failures was exceeded. |
