1 Reply Latest reply on Sep 16, 2013 5:28 PM by acommons

    how to create alarms for a user that has multiple usernames across organisation.

    haroot

      Hi,

       

      We have a scenario where a user has multiple username across the organization such as Windows ID, App ID , VPN id etc. I need to create an alert/alarm on login scenario's such as login to WIndows DC and through SSL VPN at the same time.Since the user id's are different I cannot correlate based upon the usr id.

       

       

      I would like to know if anyone has user String normalization or Data Enrichment feature for any other scenario as well.

       

      It would be really great if you can share the details.

       

      Haroot

        • 1. Re: how to create alarms for a user that has multiple usernames across organisation.
          acommons

          We have a similar situation. So far we have identified 20 potential distinct aliases for each user depending on the account type and the device/application generating the log. We have looked at resolving this with string normalisation but it appears from our experimentation that string normalisation is always case sensitive and the log entries can have mixed case representations making it impractical to use string normalisation to solve this issue.

           

          Case insensitive filters are essential and should be the default in most searches unless you are 100% sure you know how the event source will handle the field you are filtering on.

           

          cheers,

          Andrew