has anybody found a way to (more or less) automate correlations between change authorizations and security configuration changes ?
am trying to streamline workflow for my soc where they dont have chase down e.g a group policy change only to find out it was authorized.
splunk is my log aggregation and SIEM platform
correct. logs from my change mgmt software - ServiceNow are being pulled into splunk as well. trying to match those as best as i can to alerts . e.g a user added to my Domain Admin group
@tmekelburg1 You could use Change Tracker R2 to correlate with the chosen SIEM, including integrity checking on specific components, folders, and files etc.
Which can also be wholly independent and objective for audit and tracking purposes.
Also uses a lot of automation under the hood.
I would see if their support could walk you through setting that up. Or at the very least they could let you know it's not possible with their current products.