cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Data Enrichment with Hostnames

Hello,

I have found instruction on how to enrich data with a user's full name from Activity Directory but I'm struggling to find a way to enrich the data with hostnames. This is for the purpose of including hostnames for source IP addresses. I would like a new enrichment field to show the hostname of the source IP address the same way as in the screen shot below.

Does anyone have any ideas on how to do this.

Using SIEM 10.1

Thank you,

Chris

2 Replies
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Data Enrichment with Hostnames

Re: Data Enrichment with Hostnames

You are not going to be able to enrich Hostnames from AD using an IP address since it does not store that information in AD.  Howerver, if you have ePO in your environment you can use that to look up a hostname, username, system description, etc and enrich data in the SIEM with those.  

For your request of getting a hostname from an IP address, the query would look something like this:

"SELECT IPAddress, ComputerName FROM ePOComputerProperties"

Once you have that you can then use the source IP of an event to "guess" the hostname of the system.  I often enrich MAC Addresses, Usernames (Very useful for FW events that are not from a NGFW), Hostname in a lot of my data sources.  Obviously you need to be careful you do not enrich data that has more valid data already in it.  For instance, you dont want to enrich a username on an AD event since that is a point of record for a login event.  However, you may want to enrich the hostname of the AD event using the source IP so that its easier for your SOC to attribute where a login failure is comming from.   

Hope this helps.  

Tags (3)
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.