Configure SIEM Settings

Configure SIEM settings in PMC to send audit event data to an accessible SIEM provider. Events include computer, activity, and authorization requests. Events are sent in the selected format (CEF or ECS).

With our SIEM Integration, we only support a subset of all event types (see the table below).

The following events are logged by Privilege Management:

Event ID Description
100 Process has started with admin rights added to token.
101 Process has been started from the shell context menu with admin rights added to token.
103 Process has started with admin rights dropped from token.
104 Process has been started from the shell context menu with admin rights dropped from token.
106 Process has started with no change to the access token (passive mode).
107 Process has been started from the shell context menu with no change to the access token (passive mode).
109 Process has started with user’s default rights enforced.
110 Process has started from the shell context menu with user’s default rights enforced.
112 Process requires elevated rights to run.
113 Process has started with Custom Token applied.
114 Process has started from the shell context menu with user’s Custom Token applied.
116 Process execution was blocked.
118 Process started in the context of the authorizing user.
119 Process started from the shell menu in the context of the authorizing user.
120 Process execution was canceled by the user.
199 Process execution was blocked, the maximum number of challenge / response failures was exceeded.

Events are queued and sent in batches in one minute intervals. This is not configurable. A folder is created where the batches will be saved. You can open and download the batch file, which stores the event data in JSON format.

PMC supports the following SIEM providers:

There can only be one SIEM tool configured. If you choose to add details for a new SIEM tool, existing settings data will be lost.