cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation Rule with Group by 2 Fields

Jump to solution

Hi,

I have a question about correlations.

I want to correlate 2 events/rule with in a rule. But i cannot group by with source user field. Because I have DC datasource (comes source user information for ex: abc ) at the other hand EXCHANGE datasource (comes source user information with abc@bla.com ) So i mapped the source user to a regex custom field named "step_name"  and i've used it at my 2nd rule which datasource is EXCHANGE.

I've configured sequence with 15 mins.

You can see  a sample about correlation:

Thanks for your support.

Note: I couldn't change the DC parsing  (about mapping to the "source user" to "Step_Name" so i have to group by source user like "abc" not "abc@bla.com"

1 Solution

Accepted Solutions
Highlighted
xded
Level 12
Report Inappropriate Content
Message 2 of 6

Re: Correlation Rule with Group by 2 Fields

Jump to solution

Hi @mehmetemin ,

u can enrichment your Events by connecting your Domain Controller with the ESM after this you can correlation on e-Mail or something else.

Follow these steps.

1. Go to System Properties for ESM in the top right

2. In the new menu go on the left side to Data Enrichment

3. Add

Tab: Main

  • Enrichment Name: Real_Name_from_User_ID
  • Enable: Yes
  • Lookup Type: String
  • Enrichment Type: String
  • Pull Frequency: Daily At Specified Time

Tab Source:

  • Type: LDAP
  • IP-Adresse: IP-Address from the AD Server
  • Username: Domain\user_id
  • Password: The Password

Tab Query

  • Lookup Attribute: sAMAccountName (or you can use the E-mail Address but i dont know this AD Attribute. This is a example for the realname from the AD)
  • Enrichment Attribute: displayName
  • Query:
    • (objectClass=person) (

Tab Destination

  • Add
  • choose th Receiver
  • Lookup Field: Source User
  • Enrichment Field: Contact_Name
  • OK

After this you can group by Contact_Name (E-Mail Address) in your Correlation

5 Replies
Highlighted
xded
Level 12
Report Inappropriate Content
Message 2 of 6

Re: Correlation Rule with Group by 2 Fields

Jump to solution

Hi @mehmetemin ,

u can enrichment your Events by connecting your Domain Controller with the ESM after this you can correlation on e-Mail or something else.

Follow these steps.

1. Go to System Properties for ESM in the top right

2. In the new menu go on the left side to Data Enrichment

3. Add

Tab: Main

  • Enrichment Name: Real_Name_from_User_ID
  • Enable: Yes
  • Lookup Type: String
  • Enrichment Type: String
  • Pull Frequency: Daily At Specified Time

Tab Source:

  • Type: LDAP
  • IP-Adresse: IP-Address from the AD Server
  • Username: Domain\user_id
  • Password: The Password

Tab Query

  • Lookup Attribute: sAMAccountName (or you can use the E-mail Address but i dont know this AD Attribute. This is a example for the realname from the AD)
  • Enrichment Attribute: displayName
  • Query:
    • (objectClass=person) (

Tab Destination

  • Add
  • choose th Receiver
  • Lookup Field: Source User
  • Enrichment Field: Contact_Name
  • OK

After this you can group by Contact_Name (E-Mail Address) in your Correlation

Re: Correlation Rule with Group by 2 Fields

Jump to solution

Hi @xded,

Thanks for your interest.

I've tried to do that but my knowledge is not enough about

"

Tab Query

  • Lookup Attribute: sAMAccountName (or you can use the E-mail Address but i dont know this AD Attribute. This is a example for the realname from the AD)
  • Enrichment Attribute: displayName
  • Query:
    • (objectClass=person) ("

Could you explain this field please. Thanks.

BR

xded
Level 12
Report Inappropriate Content
Message 4 of 6

Re: Correlation Rule with Group by 2 Fields

Jump to solution

Hi ​,

the "Lookup Attribute: sAMAccountName" is a Active directory value you can see these values if connect your AD explorer tool with your AD.

the "Enrichment Attribute: displayName" is the SIEM field you want to fillup with the real name or E-mail or what ever. You can chose more than this field. More fields are in costume type in your SIEM.

the "Query: (objectClass=person)" is the exact query value for the AD attribute sAMAccountName so if you want your E-mail from the AD you need an other Query for that. But i cant help you with that because each AD is different.

Re: Correlation Rule with Group by 2 Fields

Jump to solution

Hi ​;

Thanks for your support.

BR.

xded
Level 12
Report Inappropriate Content
Message 6 of 6

Re: Correlation Rule with Group by 2 Fields

Jump to solution

Your Welcome 😃

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community