Monitor User Activities

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Every USM Appliance user, regardless of role, has access to the following information:

  • My Profile

    Includes basic settings about a user, such as login name, user name, email, language, time zone, and password. All users can change their profile as described in Update Your User Profile.

  • Current Sessions

    Displays users that are currently logged into the system. Admins (including default admin) can see sessions for all users, while normal users can see only their own account.

    Current Sessions page from Settings.

  • User Activity

    Displays user activity. Default admin can see activity of all users, while admins and normal users can only see activity of users belonging to the same entity.

    User Activity page

User Activity Configuration

By default, USM Appliance monitors all user activities, including any sessions or configurations created, deleted, or modified by admins or users. This may be helpful for PCI Compliance requirement 10.2.3, Access to all audit trails.

In case you do not want USM Appliance to monitor all user activity, you can fine-tune the user activity parameters.

To review and/or adjust user activity parameters

  1. Go to Configuration > Administration > Main and expand User Activity.

    User Activity page from Administration.

  2. Modify the values you want to change. See the table below for reference.

  3. Apply your changes by clicking Update Configuration.
Configurable Session Parameters
Parameter Value Description
Session Timeout (minutes)

Any integer

Configures web session timeout in minutes.

Note: Default is 15 min. 0 means the session does not time out.

User Life Time (days)

Any integer

Configures number of days a user account is active.

Note: Default is blank, or 0 days, which means the account does not expire.

Enable User Log Yes/No

Controls whether or not user activity should be logged. Default is Yes.

Log to syslog Yes/No Determines whether or not to send user activity to syslog. Default is No.

Turning User Activities into Events

If you want to see user activities as events in USM Appliance, LevelBlue provides a plugin to turn user activities into events, so that you can manage them together with other security events.

This feature is only available for USM Appliance All-in-One and USM Appliance Sensor.

To turn user activities in USM Appliance into events

  1. In the USM Appliance web UI, go to Configuration > Administration > Main and expand User Activity.

  2. If not already, set Log to syslog to Yes.
  3. Go to Configuration > DeploymentComponentsAlienVault Center.
  4. Open the instance you want to configure.
  5. Click Sensor Configuration.
  6. Click Collection.
  7. Select av-useractivity-syslog in the Plugins available column and click the plus sign (+) to add it to the Plugins enabled column.

    Note: You may see a similar plugin named av-useractivity, which is the predecessor of av-useractivity-syslog and will be deprecated in the future.

  8. Click Apply Changes.

Events generated by the av-useractivity plugin will now show up as User Activity events under Analysis > Security Events (SIEM).