2 Replies Latest reply on Sep 8, 2015 5:36 PM by acommons

    Source and Destination User Fields




      Is there is a plan to have a neutral User field in SIEM, apart from having Source User and Destination User? We have this for IP addresses though. There is a field called IP Address and this populates in both Source IP and Destination IP Watchlists (In filters). But same is not the case for Users, you can only use a source user watchlist when you select a source user field.


      Scenario - Create a correlation rule to trigger when a disabled account is used.

      So, for Windows event, the disabled account will be in destination user field. So I an alarm to update a watchlist which is defined with destination user field.

      Now, when I want to create the correlation rule, I should use the Source User in (Disabled_Accounts) watchlist. This does not populate because it is build for destination user field.