Am trying to enrich a data source to include a ‘username’, but, I cannot see a way to do it natively in the SIEM. Am looking to see if anyone has a solution for this… Am monitoring an application which logs administrative actions. The environment has multiple hosts and multiple instances of the application for different clients (unique per host).
LOGON LOG DETAILS:
When an admin logs in, the application generates a unique (random) tracking ID and records that as the first line (as follows):
ACTIVITY LOG DETAILS:
When an admin user performs commands or actions, the application generates the following logs:
|61271||VIEWED USER 001||NevadaCorp01|
|61271||MODIFIED PASSWORD FOR 002||ZeusINC08|
|52120||ADDED 'string' to config.conf||NevadaCorp01|
I need a way for the SIEM to be able to enrich these subsequent interactions with the username. Is there any way to do this in the SIEM? Or should I just revert to exporting the data and using SQL?
The way enrichment works inside the SIEM, I think it will not be the solution.
The solution might be generating "Login" and "Activity" events containing the following information TrackingID@host.
Then you can play with views to identify which users achieved on each of the hosts.