We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

SIEM Integration Analytics Query

NPY
New Contributor
New Contributor

Hello,

We have a SIEM integration with QRADAR. We have created local SIEM account and provided appropriate accesses and created actionable analytics mentioned in the document(Saviynt SIEM Integration (saviyntcloud.com)) which is as follows:

select ua.TYPEOFACCESS as 'Object Type',ua.ActionType as 'Action Taken',u.username as 'Accessed By', ua.IPADDRESS as 'IP Address',ua.ACCESSTIME as 'Event Time',ua.DETAIL as 'Message' from users u , userlogin_access ua, userlogins l where l.loginkey = ua.LOGINKEY and l.USERKEY = u.userkey and ua.AccessTime >= (NOW() - INTERVAL ${timeFrame} Minute) and ua.Detail is not NULL

We are able to capture the logs for the object mentioned in the query but we also want to add the failed login logs from both UI as well as API. Can you please help me on this query or let me know if this is doable in Saviynt-SIEM integration?

Thank you

 

3 REPLIES 3

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello  @NPY ,

CWe don't store the failed login attempts anywhere, So it's not possible to get this info.

Thanks,

NPY
New Contributor
New Contributor

Hi Sudesh,

I can see the failed login attempt on the logs. Is there any workaround to get the failed login attempts directly from logs or any other custom solutions?

Thank you

 

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @NPY,

There is a coloumn name called FAILEDTRIES you may try that, But it will store retires value till user login is unsuccessfull, once user is able to login successfully,the value will be flushed to 0.

Thanks,