I am trying to create a correlation rule from the F5 APM. In one log from F5 I do get Source IP and External Session ID and in another log I get the Source User and External Session ID. I am trying to create a rule where I can see Source IP and Source User. What is the best way to accomplish this in the Correlation Engine?
I think I understand what you are trying to accomplish; you have two different events, one that provides the username and another one that provides the assigned IP address; and the external session ID is the common denominator.
I'm not sure if SIEM can correlate both events and provide all fields (session ID, IP address, username) in one event, but I believe F5 can do exactly that, by iRules. The iRule will do that correlation on F5 and send the correlated event to SIEM.
There is a way you can do it in McAfee SIEM as well under policy editor where parsers are written. Choose the common denominator which is session ID in this case and use both the logs to fetch the two values IP address, username and map them in two different mapping under same parser. Now assign this parser to the data source and you must be fine.
Let me know how it went...