Hi,
We are working on the integration of Splunk with Saviynt EIC, designed to enhance the monitoring and management of audit logs within the Saviynt platform.
To ensure optimal results and a streamlined workflow, it is important to follow best practices for determining which audit events Splunk should trigger alerts for. We have provided a list of recommendations for capturing these events and configuring alerts accordingly.
Some recommended audit events to monitor and trigger alerts include:
1. ROLE_ADMIN Changes: Creating alerts for when a Saviynt Role Administrator role is either added to or removed from a user will help you maintain control over the administration of the platform and ensure that only authorized individuals have access to these privileges.
2. Job Triggers: Monitoring the deletion of job triggers.
3. Connection Updates: Keeping track of updates made to connections.
4. Connection Deletions: Similar to updates, deleting a connection can be a cause for concern as it may disrupt the operations on the platform.
Please note that the above recommendations are examples and a starting point for determining the appropriate audit events we want to monitor.
We have already read the documentation for SIEM integration and created the list above:
https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter20-EIC-Integrations/Saviynt-...
We require the best practices and more events that need to be captured for sending alerts.
Best Regards,
Krunal Kadam
