I am looking at LEM to fulfill the PCI DSS requirement 10. The auditing team has said that in the event of a breach we should be able to recreate all aspects of access. So we would want to know who, when, where, and what. I have only ben using LEM for a few weeks and find the nDepth portion very complex to navigate and get the data I need. Are people using LEM for this recreation process?
Also can LEM serve to tell me when user accounts are beyond 90 days old without access? What kind of automation can I do with LEM that will allow daily review of logs? Also what kinds of alerting can be done with LEM?