Audit Users exceeded Alert for CloudSOC Tenant
search cancel

Audit Users exceeded Alert for CloudSOC Tenant

book

Article ID: 233961

calendar_today

Updated On:

Products

CASB Audit CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

Archive - Tech Doc now exists:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/audit-home/opening-audit/viewing-and-filtering-audit-results/viewing-services-users-and-destinations.html

 

Superceded by Tech Doc:

If  the total Audit User/IP Addresses exceed 1.8 million - client may receive an email alert from CloudSOC.

Audit Users Alert for tenant :  ABCD.COM

Dear Team,

This is to notify that total number of audit users count is: 1511410

Or if Total Audit User/IP Addresses exceed two million Client may get email Alert, Banner displayed, and see new Audit Users/IP Addresses displayed as "Unknown"

Banner if over Audit Users exceed  two million:

Cause

The alert is the result of Audit changes implemented in CloudSOC Jan/Feb 2022:

The Audit module will now sends alert emails when tenants are about to reach the 2 million Audit user. If the limit is breached, new users are displayed as "unknown".  The Audit module will display a banner to alert administrators if the 2 million user limit is breached.



Resolution

Some possible ways for Client to reduce Audit Users/IPs:

1. Adjust Data Sources (logs feeding CloudSOC Audit) so they provide User names instead of IP.

2. Workaround the firewall or proxy limitation:

  • Use an IP to User mapping file for Symantec PSG and Cisco ASA Firewalls. SpanVA maps the IP in the proxy or Firewall log to the mappings file get the user. Dynamic infrastructure requires more care to make sure that the mapping file is updated before the audit log is processed. Identity mappings documentation
  • Configure SpanVA to use WMI to query AD to resolve which user is tied to an IP address. IP to user documentation.

3. Audit Log retention could be decreased from default 12 months  to get below the user threshold which will remove the older data and then set it back to the appropriate time-frame.  (This will have to be repeated as needed.) See CloudSOC Settings / Privacy Tab to adjust Audit Log retention. (Default retention is 12 months)

 

4. If WSS is used verify the option to get username has not been turned in WSS
Reference: https://knowledge.broadcom.com/external/article/168513/users-labeled-as-suppressed-in-reports.html

 

 

 

Additional Information

Palo Alto logs are a good example of a firewall or proxy logs that provides a IP but is unable to provide a user. CloudSOC would be unable to determine a specific user to reference.

CloudSOC 3.143.o Release Notes:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/release-notes/CloudSOC-release-notes/cloudsoc-3143-rn.html

 

Powered by Wolken Software