1 Reply Latest reply on Nov 28, 2014 9:26 AM by ksudki

    Request: help with Data Enrichment

    10100111001

      Goal:

      Am trying to enrich a data source to include a ‘username’, but, I cannot see a way to do it natively in the SIEM. Am looking to see if anyone has a solution for this… Am monitoring an application which logs administrative actions.  The environment has multiple hosts and multiple instances of the application for different clients (unique per host).


      LOGON LOG DETAILS:

      When an admin logs in, the application generates a unique (random) tracking ID and records that as the first line (as follows):

      UserNameTracking IDHOST
      Jsmith61271NevadaCorp01
      Arogers61271ZeusINC08
      Bdurrent52120NevadaCorp01

       

      NOTES:

      1. The Tracking ID and HOST are the components which can be used to lookup a unique user.
      2. As in the example, two users may have the same ID on different hosts, which is why both columns must be referenced in a lookup


      ACTIVITY LOG DETAILS:

      When an admin user performs commands or actions, the application generates the following logs:

       

      Tracking IDACTIONHOST
      61271VIEWED USER 001NevadaCorp01
      61271MODIFIED PASSWORD FOR 002ZeusINC08
      52120ADDED 'string' to config.confNevadaCorp01

       

      I need a way for the SIEM to be able to enrich these subsequent interactions with the username. Is there any way to do this in the SIEM? Or should I just revert to exporting the data and using SQL?

        • 1. Re: Request: help with Data Enrichment
          ksudki

          The way enrichment works inside the SIEM, I think it will not be the solution.

           

          The solution might be generating "Login" and "Activity" events containing the following information TrackingID@host.

           

          Then you can play with views to identify which users achieved on each of the hosts.

           

          Regards