Generating an alert when Cloud SWG admin disables a WSS Agent
Article ID: 267552
Updated On:
Products
Issue/Introduction
Cloud SWG administrators have ability to temporarily disable WSS Agents via the Portal.
For auditing purposes, the Cloud SWG administrators need to get a corresponding alert when any Cloud SWG admin disable any WSS agent in the environment.
Is it possible to trigger an alert whenever a Cloud SWG admin from the member firm disable a WSS agent from the console?
Environment
Cloud SWG Portal.
WSS Agent disable operation.
Cause
Cannot trigger required alert from Portal.
Resolution
To generate an alert for this condition, download the audit logs using the Cloud SWG audit API and have SIEM alert when the disable condition is reported.
Audit logging is enabled on the Cloud SWG side by default. SIEM can collect these logs, scan for certain conditions (e.g. search for the ‘disabled until’ message shown in the audit log example below where a WSS Agent was disabled) before generating an alert.
Feedback
