The Identity and Access Management section is designed for monitoring events related to the management of user accounts (AM), groups, and workstations.
- Statistics on the number of created / modified / deleted AM
- Trends in the number of created / modified / deleted AM
- Event statistics with details on user AM
- Event statistics with details on group AM
- Event statistics with details on workstation AM
- Account Management: Overview
- Account Management: Groups
- Account Management: Computers
- Account Management: Users
The section uses the following fields from data sources. Alias used: sm_cs_iam_indexes.
The section uses the following fields from data sources. Alias used: sm_cs_iam_indexes.
| Field Name | Value | 
|---|
| event.kind | event | 
| event.category | iam | 
| event.type | creation | deletion | change | 
| event.outcome | success | failure | unknown | 
| event.action | From the original event. | 
| event.code | Windows Security Event code from the original event. | 
| Field Name | Value | 
|---|
| event.module | Module name. | 
| event.dataset | Dataset name. | 
| Field Name | Value | 
|---|
| user.name | Username. | 
| user.domain | User domain. | 
| user.id | User Security Identifier (SID). | 
| Field Name | Value | 
|---|
| host.name | Host name. | 
| Field Name | Value | 
|---|
| target.name | Username. | 
| target.domain | User domain. | 
| target.id | User Security Identifier (SID). | 
| Field Name | Value | 
|---|
| event.original | Original event text. | 
Below is a table of reference tables used in the section.
| Name | Fields | Description | 
|---|
| sm_cs_iam_privileged_users_lookup | account.name
 is_privileged | Reference table for privileged AM values. |