Per an old question on here (User Activity through Qualys API ), Qualys updated the api to expose the activity logs.
Anyone using the api to route this data to a SIEM or dropping it to local disk and running scripts on it to review activity logs? If so, what kind of monitors/checks/alerts are you doing?
Just thinking off the top of my head, I think the following would be interesting to put monitors around:
-Odd login times
-Bulk deletes
-Bulk edits of AGs
-Bulk uninstalls
-Bulk purges
Just wanted to start a discussion and see if anyone else is doing this. Thinking about putting some time towards doing this and just curious if anyone else has already gone this path and had ideas they could share.
Thank you!
D
Have not gotten that far yet. I seem to recall having some sample API Code that got the Users List out of Qualys along with other criteria like last login etc... I can't off the top recall looking at doing something for logs.
If there is an API for that then I see you pumping that out to something like Splunk and then firing events if certain criteria are met. You could also do this with any other scripting like powershell or go or something.
If you are interested I will poke around and see if I find an API for the logs and what I can do with it.
David