cancel
Showing results for 
Search instead for 
Did you mean: 

Linking Source and Destination Users

Jump to solution

Hey guys,

Just wondering if anyone has run into the trying to link source and destination users within correlation rules. We have the following issue

1. User's password is reset in AD. This generates an event with the interesting user in the destination user field.

2. That user then attempts a VPN login. This generates an event with the interesting user in the source user field.

Has anyone found a way to correlate these events based on the source/destination user? We are trying to resolve without needing to parse the source user into the destination field for the VPN event.

0 Kudos
1 Solution

Accepted Solutions
acommons
Level 10

Re: Linking Source and Destination Users

Jump to solution

Make a small change to both rules and assign the usernames to an additional common field as well as the existing field, maybe something like Contact_Nickname. Do the match on this field in the rule.

This preserves the existing data but is still ugly.

0 Kudos
8 Replies
acommons
Level 10

Re: Linking Source and Destination Users

Jump to solution

Make a small change to both rules and assign the usernames to an additional common field as well as the existing field, maybe something like Contact_Nickname. Do the match on this field in the rule.

This preserves the existing data but is still ugly.

0 Kudos

Re: Linking Source and Destination Users

Jump to solution

Yeah might give that a go acommons, it would be nice if there were a usable field similar to "IP Address" which could match on either.

0 Kudos
acommons
Level 10

Re: Linking Source and Destination Users

Jump to solution

I think that PER has been submitted by a few people including myself a few years ago.

Username is not the only item that can switch between source/destination or subject/object status so a more generic solution is needed.

0 Kudos
acommons
Level 10

Re: Linking Source and Destination Users

Jump to solution

Check out the "Override Group by" option in the correlation rule definition.

It looks like it might do what you want without messing with the parser. It's documented in the Product Guide.

0 Kudos

Re: Linking Source and Destination Users

Jump to solution
0 Kudos

Re: Linking Source and Destination Users

Jump to solution

Hey acommons,

I couldn't find any reference to Group By override in either the 9.5 or 9.3 product guide.

I have tested this functionality and it doesn't appear to work (This was only tested on a Historical correlation engine, might work differently). I used the following to test and it did not correlate.

Correlation Rule Group By - Destination User

Event 1 - AD event with me as destination user

Event 2 - VPN event with me as source user (Group By override - Source User)

These two filters are within a sequential AND rule with 1 hit in 4 hours.

Is there anything you can see that I have missed?

0 Kudos
acommons
Level 10

Re: Linking Source and Destination Users

Jump to solution

It's documented in the 9.6 Product Guide, link below.

McAfee KnowledgeBase -

Page 491.

Text shown below:

Override Group by
If you have set a correlation rule to group by a specific field, you can override one of the components
in the rule to match on a different field.

For example, if you set the Group by field in a correlation rule to Source IP, you can override a component
of the rule to use Destination IP. This means that all events have the same source IP except the events
that match the overridden component. Those events have the same destination IP as the source IP of
the other events. This feature is useful to look for one event going to a particular destination followed
by another event that originates from that destination.

Task
For details about product features, usage, and best practices, click ? or Help.
1 On the ESM console, click the Policy Editor icon .
2 Click Correlation in the Rule Types pane, select a rule, then click Edit | Modify.
3 Drag and drop the Match Component logic element in the Correlation logic area, then click the menu
icon , or click the menu icon of an existing Match Component element in the Correlation logic area.
4 Select edit, click Advanced Options, then select Override Group By and click Configure.
5 On the Configure Group By overrides page, select the override field, then click OK.

Re: Linking Source and Destination Users

Jump to solution

Awesome, didn't check that guide cos we are on 9.5.2. Have done some testing and Group By override does not appear to work in 9.5.2. I am going to raise an SR to confirm this with support.

0 Kudos