cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
guillote
Level 9
Report Inappropriate Content
Message 1 of 3

SIEM users parsers

Hello,

How should I configure SIEM in order to match different user names format as the same user?

I would like to be able to correlate events from different data sources but same user, each data source logs the user name as:

- domain\usertest

- usertest@domain

- cn=usertest...

- usertest

Is SIEM able to realize that this is always the same user?

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: SIEM users parsers

1. How to Write an ESM Custom Parser and Troubleshoot a Data Source Product Documentation ID:  PD24926

2. Support statement for custom rules with SIEM Technical Articles ID:  KB84428

3. How to use and modify SIEM parser rules Technical Articles ID:  KB82562

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: SIEM users parsers

The short answer to your question is "no" the SIEM won't be able to figure this out on its own, you will need to wrangle the data a bit.

You may accomplish this type of tracking by (1) parsing the data correctly or (2) enriching the data using the correct fields with an appropriate lookup table.

The fields that you're describing are likely from multiple disparate data sources that parse the user information into different fields.  For example, your AD logs are likely parsing user name (domain\user) into the Source User field by default while your e-mail addresses (from Exchange/FireEye/etc) are likely parsing user name (user@domain) into the Destination User field.  In these examples you could modify the AD log parser to match the domain and username separately with a regex of (?P<domain>[^\x5c]+)\x5c(?P<user>[^\s]+) and store the matched user name in a new Custom Field that is setup as a String (lets just call it UserName).  The e-mail log parser could be modified to match username and domain separately with a regex of (?P<user>[^\x40]+)\x40(?P<domain>[^\s]+) and store the matched user into the Custom Field UserName.  This way you may be able to pivot off of or correlate a malicious inbound e-mail with the same user going to a suspicious domain.

You could also perform data enrichment on the appropriate fields of those data source using an LDAP query to pull back additional user information and then pivot or correlate off of the enriched data, however we have had much greater success with parsing the information into the appropriate fields first.

As a note, be aware of case sensitivity when storing the fields; for example if you did parse fields into UserName please know that to the SIEM John.Smith@domain.com => John.Smith is not the same as domain\john.smith => john.smith.

I hope this helps get you headed in the right direction.

Best Regards,

Rorik

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community