Archive - Tech Doc now exists:
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/audit-home/opening-audit/viewing-and-filtering-audit-results/viewing-services-users-and-destinations.html
Superceded by Tech Doc:
If the total Audit User/IP Addresses exceed 1.8 million - client may receive an email alert from CloudSOC.
Audit Users Alert for tenant : ABCD.COM
Dear Team, This is to notify that total number of audit users count is: 1511410 |
Or if Total Audit User/IP Addresses exceed two million Client may get email Alert, Banner displayed, and see new Audit Users/IP Addresses displayed as "Unknown"
Banner if over Audit Users exceed two million:
The alert is the result of Audit changes implemented in CloudSOC Jan/Feb 2022:
The Audit module will now sends alert emails when tenants are about to reach the 2 million Audit user. If the limit is breached, new users are displayed as "unknown". The Audit module will display a banner to alert administrators if the 2 million user limit is breached.
Some possible ways for Client to reduce Audit Users/IPs:
1. Adjust Data Sources (logs feeding CloudSOC Audit) so they provide User names instead of IP.
2. Workaround the firewall or proxy limitation:
3. Audit Log retention could be decreased from default 12 months to get below the user threshold which will remove the older data and then set it back to the appropriate time-frame. (This will have to be repeated as needed.) See CloudSOC Settings / Privacy Tab to adjust Audit Log retention. (Default retention is 12 months)
4. If WSS is used verify the option to get username has not been turned in WSS
Reference: https://knowledge.broadcom.com/external/article/168513/users-labeled-as-suppressed-in-reports.html
Palo Alto logs are a good example of a firewall or proxy logs that provides a IP but is unable to provide a user. CloudSOC would be unable to determine a specific user to reference.
CloudSOC 3.143.o Release Notes:
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/release-notes/CloudSOC-release-notes/cloudsoc-3143-rn.html