I have found instruction on how to enrich data with a user's full name from Activity Directory but I'm struggling to find a way to enrich the data with hostnames. This is for the purpose of including hostnames for source IP addresses. I would like a new enrichment field to show the hostname of the source IP address the same way as in the screen shot below.
Does anyone have any ideas on how to do this.
Using SIEM 10.1
You are not going to be able to enrich Hostnames from AD using an IP address since it does not store that information in AD. Howerver, if you have ePO in your environment you can use that to look up a hostname, username, system description, etc and enrich data in the SIEM with those.
For your request of getting a hostname from an IP address, the query would look something like this:
"SELECT IPAddress, ComputerName FROM ePOComputerProperties"
Once you have that you can then use the source IP of an event to "guess" the hostname of the system. I often enrich MAC Addresses, Usernames (Very useful for FW events that are not from a NGFW), Hostname in a lot of my data sources. Obviously you need to be careful you do not enrich data that has more valid data already in it. For instance, you dont want to enrich a username on an AD event since that is a point of record for a login event. However, you may want to enrich the hostname of the AD event using the source IP so that its easier for your SOC to attribute where a login failure is comming from.
Hope this helps.