cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
orionquest
Newcomer I

correlation between change authorizations and security configuration changes

has anybody found a way to (more or less) automate correlations between change authorizations and security configuration changes ?

 

am trying to streamline workflow for my soc where they dont have chase down e.g a group policy change only to find out it was authorized.

 

splunk is my log aggregation and SIEM platform

7 Replies
tmekelburg1
Community Champion

Just so I understand, Splunk will alert the SOC of the change but doesn't link the change approval form or log the change approval to the alert?  

orionquest
Newcomer I

correct. logs from my change mgmt software - ServiceNow are being pulled into splunk as well. trying to match those as best as i can to alerts . e.g a user added to my Domain Admin group

tmekelburg1
Community Champion

I don't have a solution specifically for Splunk and I'm also assuming ServiceNow does more than change management, like work orders, asset tracking, and project management?

We currently use our work order system to email out to specific stakeholders on who needs to be notified of the ticket status/resolution. So for this example, we would add the SOC email address for notification of ticket statuses. When the ticket was completed the work order system would generate an email to the SOC. The SOC would then keep a record of it for reference later if need be.

I'd also be interested if someone else has this all automated together, from initial user request, supervisor approval, work completed, and automatically logged into a SIEM to correlate the event alerts.

Just curious, how much time does it take to cross reference that manually? How much time would that save over a set period of time?
Caute_cautim
Community Champion

@tmekelburg1   You could use Change Tracker R2 to correlate with the chosen SIEM, including integrity checking on specific components, folders, and files etc. 

 

https://www.newnettechnologies.com/change-tracker-gen-7.html

 

Which can also be wholly independent and objective for audit and tracking purposes.

 

Also uses a lot of automation under the hood.

 

Regards

 

Caute_cautim

tmekelburg1
Community Champion

Thanks Caute! Do you have personal experience with this one or another similar solution? What's your current process to help correlate these together?

orionquest
Newcomer I

highly unlikely mgmt will approve any new purchases given the current environment. i have to make do with the tools i already have

tmekelburg1
Community Champion

I would see if their support could walk you through setting that up. Or at the very least they could let you know it's not possible with their current products.