The Identity and Access Management section is designed for monitoring events related to the management of user accounts (AM), groups, and workstations.
- Statistics on the number of created / modified / deleted AM
- Trends in the number of created / modified / deleted AM
- Event statistics with details on user AM
- Event statistics with details on group AM
- Event statistics with details on workstation AM
- Account Management: Overview
- Account Management: Groups
- Account Management: Computers
- Account Management: Users
The section uses the following fields from data sources. Alias used: sm_cs_iam_indexes.
The section uses the following fields from data sources. Alias used: sm_cs_iam_indexes.
| Field Name | Value |
|---|
event.kind | event |
event.category | iam |
event.type | creation | deletion | change |
event.outcome | success | failure | unknown |
event.action | From the original event. |
event.code | Windows Security Event code from the original event. |
| Field Name | Value |
|---|
event.module | Module name. |
event.dataset | Dataset name. |
| Field Name | Value |
|---|
user.name | Username. |
user.domain | User domain. |
user.id | User Security Identifier (SID). |
| Field Name | Value |
|---|
host.name | Host name. |
| Field Name | Value |
|---|
target.name | Username. |
target.domain | User domain. |
target.id | User Security Identifier (SID). |
| Field Name | Value |
|---|
event.original | Original event text. |
Below is a table of reference tables used in the section.
| Name | Fields | Description |
|---|
sm_cs_iam_privileged_users_lookup | account.name
is_privileged | Reference table for privileged AM values. |