What is a one sentence summary of your feature request?
Include the Ticket Number and Notes as optional fields that can be passed to the SIEM server.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Our SOC team receives alerts anytime an account is added to certain privileged groups. Even when that action is performed by the service account with which NPS operates, they will sometimes reach out to that individual and ask for a justification if the elevation seems to be an anomalous event. If the Ticket Number and Notes fields were passed in the SIEM data, the SOC would already have this information bundled with the other activity, they could easily verify it with our ticketing system and could rest assured that this account activity was valid. While this scenario may be unique to our agency, the option to include this data with the SIEM information may be valuable to others, as well.
How do you currently solve the challenges you have by not having this feature?
Each of our admins responds to our SOC’s inquiry with a ticket number or justification for having activated/elevated their account.