I am having difficulty finding information on what alerts need to be given from LEM to satisfy our auditors. I am aware of what needs to be monitored and have my LEM setup for monitoring.
It is the alerting I am having issues with. What alerts need to be given, specifically. I know any monitored file change, or read or write, or permission change but that would be several thousand alerts a day.
As an example, I have a file server. I have the FIM connector setup with the PCI template (C:\, Windows, System32 for ini, exe, dll, bat and such) C:\Program files and 2 directories which hold PCI data.
Directory 1.) Holds credit card data. Auditors say must monitor for all file reads, creates, writes and deletes and permission changes. Hundreds of FIM events per day just for this directory
Directory 2.) Holds voice recording files. Auditors also say must monitor for all file reads, creates, writes and deletes and permission changes. There is an automated process that downloads, extracts then copies fresh voice files into the monitored directory. We are a call center, thousands of calls per day generate thousands of voice files. These files generate logs that the the files are created first as .tmp files, then new permissions are assigned to them (Inherited from directory permissions).
To make a long story short, the auditors only repeat like parrots all file reads, creates, writes and deletes must generate an alert and I have no idea what I can exclude and still keep them happy.
I appreciate and direction on this, we are really stuck
EZguine