Up
Previous Next

Sheriff CSMâ„¢

Monitor User Activities

Every Sheriff CSM user, regardless of role, has access to the following information:
  • My Profile

    Includes basic settings about a user, such as login name, user name, email, language, time zone, and password. All users can change their profile as described in Update Your User Profile.

  • Current Sessions

    Displays users that are currently logged into the system. Admins (including default admin) can see sessions for all users, while normal users can see only their own account.

    Current Sessions page from Settings.

  • User Activity

    Displays user activity. Default admin can see activity of all users, while admins and normal users can only see activity of users belonging to the same entity.

    User Activity page

User Activity Configuration

By default, Sheriff CSM monitors all user activities, including any sessions or configurations created, deleted, or modified by admins or users. This may be helpful for PCI Compliance requirement 10.2.3, Access to all audit trails.

In case you do not want Sheriff CSM to monitor all user activity, you can fine-tune the user activity parameters.

To review and/or adjust user activity parameters
  1. Go to Configuration > Administration > Main and expand User Activity.

    User Activity page from Administration.

  2. Modify the values you want to change. See the table below for reference.

  3. Apply your changes by clicking Update Configuration.

Configurable Session Parameters
ParameterValueDescription
Session Timeout (minutes) Any integer Configures web session timeout in minutes.

Note: Default is 15 min. 0 means the session does not time out.
User Life Time (days) Any integer Configures number of days a user account is active.

Note: Default is blank, or 0 days, which means the account does not expire.
Enable User Log Yes/No Controls whether or not user activity should be logged. Default is Yes.
Log to syslog Yes/No Determines whether or not to send user activity to syslog. Default is No.
Send anonymous usage statistics and system data to Sheriff to improve Sheriff CSM. Yes/No Opts into or out of telemetry data collection. Default is No.

To learn more about this option, see What Is Telemetry Collection and How Does It Work.

Turning User Activities into Events

If you want to see user activities as events in Sheriff CSM, Sheriff provides a plugin to turn user activities into events, so that you can manage them together with other security events.

This feature is only available for Sheriff CSM All-in-One and Sheriff CSM Deputy.

To turn user activities in Sheriff CSM into events
  1. In the Sheriff CSM web UI, go to Configuration > Administration > Main and expand User Activity.

  2. If not already, set Log to syslog to Yes.

  3. Go to Configuration > Deployment > Components > Sheriff Center.

  4. Open the instance you want to configure.

  5. Click Deputy Configuration.

  6. Click Collection.

  7. Select av-useractivity-syslog in the Plugins available column and click the plus sign (+) to add it to the Plugins enabled column.

    Note: You may see a similar plugin named av-useractivity, which is the predecessor of av-useractivity-syslog and will be deprecated in the future.

  8. Click Apply Changes.

Events generated by the av-useractivity plugin will now show up as User Activity events under Analysis > Security Events (SIEM).
Topic revision: r9 - 20 Jan 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.