Audit Users exceeded Alert for CloudSOC Tenant
Article ID: 233961
Updated On:
Products
Issue/Introduction
If the total Audit User/IP Addresses exceed 1.8 million - client may receive an email alert from CloudSOC.
Audit Users Alert for tenant : EXAMPLE.COM
| Dear Team, This is to notify that total number of audit users count is: 1511410 |
Or if Total Audit User/IP Addresses exceed two million Client may get email Alert, Banner displayed, and see new Audit Users/IP Addresses displayed as "Unknown"
Banner if over Audit Users exceed two million:
Cause
The alert is the result of Audit changes implemented in CloudSOC Jan/Feb 2022:
The Audit module sends alert emails when tenants are about to reach the 2 million Audit user. If the limit is breached, new users are displayed as "unknown". The Audit module will display a banner to alert administrators if the 2 million user limit is breached.
Resolution
Some possible ways for Client to reduce Audit Users/IPs:
-
Adjust Data Sources (logs feeding CloudSOC Audit) so they provide User names instead of IP.
-
Workaround the firewall or proxy limitation:
-
Use an IP to User mapping file for Symantec PSG and Cisco ASA Firewalls. SpanVA maps the IP in the proxy or Firewall log to the mappings file get the user. Dynamic infrastructure requires more care to make sure that the mapping file is updated before the audit log is processed. Identity mappings documentation
-
Configure SpanVA to use WMI to query AD to resolve which user is tied to an IP address. IP to user documentation.
-
- Audit Log retention could be decreased from default 12 months to get below the user threshold which will remove the older data and then set it back to the appropriate time-frame. (This will have to be repeated as needed.) See CloudSOC Settings / Privacy Tab to adjust Audit Log retention. (Default retention is 12 months)
- If WSS is used verify the option to get username has not been turned in WSS
Reference: Users labeled as suppressed in reports
Additional Information
Feedback
