|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
Every USM Appliance user, regardless of role, has access to the following information:
Includes basic settings about a user, such as login name, user name, email, language, time zone, and password. All users can change their profile as described in Update Your User Profile.
Displays users that are currently logged into the system. Admins (including default admin) can see sessions for all users, while normal users can see only their own account.
Displays user activity. Default admin can see activity of all users, while admins and normal users can only see activity of users belonging to the same entity.
User Activity Configuration
By default, USM Appliance monitors all user activities, including any sessions or configurations created, deleted, or modified by admins or users. This may be helpful for PCI Compliance requirement 10.2.3, Access to all audit trails.
In case you do not want USM Appliance to monitor all user activity, you can fine-tune the user activity parameters.
To review and/or adjust user activity parameters
Go to Configuration > Administration > Main and expand User Activity.
Modify the values you want to change. See the table below for reference.
- Apply your changes by clicking Update Configuration.
|Session Timeout (minutes)||
Configures web session timeout in minutes.
Note: Default is 15 min. 0 means the session does not time out.
|User Life Time (days)||
Configures number of days a user account is active.
Note: Default is blank, or 0 days, which means the account does not expire.
|Enable User Log||Yes/No||
Controls whether or not user activity should be logged. Default is Yes.
|Log to syslog||Yes/No||Determines whether or not to send user activity to syslog. Default is No.|
Turning User Activities into Events
If you want to see user activities as events in USM Appliance, AlienVault provides a plugin to turn user activities into events, so that you can manage them together with other security events.
To turn user activities in USM Appliance into events
In the USM Appliance web UI, go to Configuration > Administration > Main and expand User Activity.
- If not already, set Log to syslog to Yes.
- Go to Configuration > Deployment > Components > AlienVault Center.
- Open the instance you want to configure.
- Click Sensor Configuration.
- Click Collection.
Select av-useractivity-syslog in the Plugins available column and click the plus sign (+) to add it to the Plugins enabled column.
Note: You may see a similar plugin named av-useractivity, which is the predecessor of av-useractivity-syslog and will be deprecated in the future.
- Click Apply Changes.
Events generated by the av-useractivity plugin will now show up as User Activity events under Analysis > Security Events (SIEM).