Is it possible to create a user watchlist so I can keep track of any suspicious or anomalous behavior on a user's account?
Hello @vpolius,
Good question. We could benefit from this kind of capabilities too.
I think there is no builtin functionality for this atm. But we could make a custom siem rule which looks for a filtered list of users (related.users is one of ...) in the siem alert indices.
If any alert which contains related.users
with one of these users, it should trigger an alert. (It won't work with threshold rules though I think)
Willem
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.