How can I use Compliance Event Manager to track Security Administration logonid changes?
The ACCOUNTADMIN event can be used to track logonid changes with the Alert, Warehouse or Logger components.
A Policy Statement for the Account Administration event can be created. Test Conditions can be used against the following fields:
The fields that are returned are as follow.
Security administrator logonid SEC0001 change user USER001 logonid to add the non=cancel privilege.
LOGONID SEC0001(with SECURITY Privilege) logs on to TSO
CHANGE USER001 non-cncl
Compliance Event Manager Account Administration Event fields returned:
Account Userid: USER001
Command: change USER001 non-cncl
ESM : ACF2
Policy UUID: 588499fe-6183-41d1-ba9a-fd9e8daeb112
Record Length: 169