cancel
Showing results for 
Search instead for 
Did you mean: 

Rule Correlation for F5 logs by session ID

Jump to solution

All the logs we get from F5 have a piece of info in each event but the one thing that is shared is the external session ID.  So we currently get an event when a user gets authenticated and then another event with the IP address and then another event with the url but they all have the same external session ID.  In order to create any type of alerts based on multiple logins from same source IP or other alerts these events need to be correlated into a single event.  I'm not sure if this is the default out of the box behavior for F5 and ESM but I would think ESM should already be configured to correlate these events based on the session ID.  How do I create a correlation rule to pull the source user from one event, source IP from another event, auth or no auth from another event when they all share the same external session ID?

Thanks

1 Solution

Accepted Solutions
yd9038
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Rule Correlation for F5 logs by session ID

Jump to solution

Justinrank,

I think I understand what you are trying to accomplish; you have two different events, one that provides the username and another one that provides the assigned IP address; and the external session ID is the common denominator.

I'm not sure if SIEM can correlate both events and provide all fields (session ID, IP address, username) in one event, but I believe F5 can do exactly that, by iRules. The iRule will do that correlation on F5 and send the correlated event to SIEM.

View solution in original post

3 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Rule Correlation for F5 logs by session ID

Jump to solution

Hi Justinrank,

if you add a new correlation rule you have a field named "Group By" with this field you can correlate all Events with the same Session ID into one Event. But you need also a correlation logic 😃 and this is a little bit tricky in this case.

Re: Rule Correlation for F5 logs by session ID

Jump to solution

We have been able to get the correlation rule to pull in all the events with the same external session ID but we need it to fill in the username from one of the events and then the source and destination IPs from another event and so on into the correlation event but it is just adding the events and not populating the correlation event with the data from the other events.  Is there additional steps we need to do to pull this data into the main event?

Thanks!

yd9038
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Rule Correlation for F5 logs by session ID

Jump to solution

Justinrank,

I think I understand what you are trying to accomplish; you have two different events, one that provides the username and another one that provides the assigned IP address; and the external session ID is the common denominator.

I'm not sure if SIEM can correlate both events and provide all fields (session ID, IP address, username) in one event, but I believe F5 can do exactly that, by iRules. The iRule will do that correlation on F5 and send the correlated event to SIEM.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community