What is a one sentence summary of your feature request?
NPS-D Include persistence field from “Added new administrator” log
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
When we modify an existing admin’s persistence on a server, group or user, a log is generated and in SecOps we see the persistence was changed and for what user.
e.g.
“message”: “Modified administrator”,
“system”: “xxxx”,
“createdBy”: “user_making_the_change”,
“persistent”: true,
“user”: {
“cn”: “admin_being_changed”,
“domain_fqdn”: “domain.loc”,
“domain_netbios”: “domain”
…
However, if we add a new admin to a server and select persistent rather than Just-In-Time, then the log doesn’t specify the persistence set.
“message”: “Added new administrator”,
“system”: “xxxx”,
“createdBy”: “user_making_the_change”,
“user”: {
“cn”: “admin_being_changed”,
“domain_fqdn”: “domain.loc”,
“domain_netbios”: “domain”
We use these logs to identify misuse of the product and would be really useful to have the “persistent” field added to the “Added new administrator” log.
How do you currently solve the challenges you have by not having this feature?
No way of currently knowing from these logs.