My team is looking for a SIEM and SEM looks promising. I see that it can pull logs & events from Windows nodes via agent. What kind of user activity would that agent be able to pull to send to SEM?
This is in an AD environment, domain-joined PCs. Would it only be able to capture logon/logoff events? Or can it report on what the user does on the local machine? Say changing the default web browser, installing some unwanted software, or even open CMD or Powershell? Some of these PCs are shared so I can't depend on the InsertionIP or DetectionIP as seen in the demos, so I want to be able to trace user activity back to the user who did it, basically non-repudiation.
It's hard to describe the anomalous behavior but basically we want to catch it, if it happens. Am I asking for too much here? Please let me know. Thanks.