Auditing iManager with Sentinel is quite simple to setup, and on the first sight it is simply working as designed, but when I was really testing the quality of the normalized events I got a different result!

When logging in to iManager I am receiving an normalized/parsed event where the event message tells me that there was a login for a certain user. That's what I did expect.

When I log out from iManager I am receiving a corresponding massage as well!

But if I am providing wrong credentials (i.e. a valid username but a wrong password) I am getting the same message I received because of the successful login before. Even the severity is the same. I know, that (at least for the most recent collector) the is an other event property telling that there was a failed login, but I doubt, that this is the expected result in a SIEM solution.

In case of an failed login, which can be configured in iManager as an individual Audit event, I would expect the severity to be higher and for sure a message telling me that there was an error.

I had not the time to get through all the possible iManager audit events to see, if those are parsed as expected so far, but I will tray to do it asap!

By the way, I did get the same results, no matter which protocol I used (naudit, XDAS, CEF)!

I opened an SR regarding this fact, but so far I did not got any real feedback :-(

Kind regards,