Showing results for 
Show  only  | Search instead for 
Did you mean: 

SIEM Foundations: Implement Enrichment to Pull in Full User Name From AD

100% helpful (1/1)

The Data Enrichment feature of the ESM allows you to enrich events with context that is not in the original event sent by the upstream data source, such as an email address, phone number, or host location information.  This data becomes part of the parsed event, and is stored with the event just like the original fields.  There are a wide range of uses for Data Enrichment.  In this example, we will use it to populate full user display names in Windows events.

In many enterprises, Windows login names can be difficult for people to parse.  There are a wide range of user name schemes that you might follow, and in many circumstances this results in user names that are random-looking strings of letters and numbers, or other strings that are difficult for a human operator to understand.  In this example of using enrichment, we will leverage AD lookups to add the full user name to Windows events.

To accomplish this, we will configure a 2 column enrichment, which uses the Source User field from a Windows event to map that user's real name (display name) and then populate the display name in the event. 

To pull in full user name and enrich using Active Directory:.

  1. Select System Properties/Data Enrichement, and click Add to create a new Data Enrichment.
  2. From the Data Enrichment Property of the ESM add a new data enrichment.
    1. Set the Lookup Type to String.
    2. Set the Enrichment Type to String.
    3. The Pull Frequency should be no more frequent then daily unless the local AD environment is updated much more frequently.
  3. Define the Active Directory (or LDAP) Source.  The username and password supplied must have read access to user objects in AD.
  4. Create the Query.
    1. The Lookup Attribute is sAMAccountName.
    2. The Enrichment Attribute is displayName.
    3. The simplest query would be (objectClass=person).  This query will return a list of all objects in AD which are classified as a person.  More complex queries can be used if a limited or different set of results is desired.
    4. A test of the above query returns the following details. The test function only returns a maximum of 5 values, regardless of the number of actual entries.  Click Next> once the query succeeds.
  5. Add a Destination.
    1. Click Add.
    2. Select an event source or sources for events that are to be enriched.  As a suggestion, select your MS Windows data sources.
    3. Select the Lookup Field. In this case it will be the Source User field. The lookup field is the value that exists in the event, which we will use as the index for our lookup.
    4. Select the Enrichment Field.  The Enrichment Field is the field where the enrichment value will be written to.  A good option here might be User_Nickname or Contact_Name.

  6. Click Finish to save.  Once the enrichment is complete, write the enrichment setting.
  7. After the enrichment settings are written to the devices, you must select Run Now or the enrichment values will not be retrieved from the data source until the ‘Daily Trigger Time’ value set in step 1 is reached.
  8. An event enriched as above will have the Full Name written into the Contact_Name Field. (In step 4 the value was returned as eposa = ePO Service Account, written as shown below)

« previousoutlinenext »


To pull email address from userID you can use this LDAP query:


Not correct, because we have in AD attribute "mail" what can be different.

Keep in mind, when following this documentation, that "Contact_Name" and "Destination User" both use the Event Field "Custom Field - 6". If you configure data enrichment to populate Contact_Name it will over write the value for Destination User. I discovered this while creating an Alarm to notify us when a user is added to or removed from a privileged group.

I hope this saves someone else some time.

Custom Types 001.JPG

thanks for pointing that out docholliday.

how do you get the destination user to show the full user name?.

many thanks,


Thanks so much for the information. I raised a case with Mcafee and they are not able to find what was going wrong in our environment, after reading this document and your comments, I quickly checked the data enrichment and lo.... there it was over writing Destination User field as you said.

I am so happy for resolving this issue

In our case, the "userPrincipalName" is the USERID@DOMAIN

As you stated, we have a "mail" attribute which has the correct email address for the users.

Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 09:05 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community