2 Replies Latest reply on Nov 2, 2015 1:05 PM by rorik.koster

    SIEM users parsers

    guillote

      Hello,

      How should I configure SIEM in order to match different user names format as the same user?

       

      I would like to be able to correlate events from different data sources but same user, each data source logs the user name as:

      - domain\usertest

      - usertest@domain

      - cn=usertest...

      - usertest

       

      Is SIEM able to realize that this is always the same user?

        • 1. Re: SIEM users parsers
          cbayless

          1. How to Write an ESM Custom Parser and Troubleshoot a Data Source Product Documentation ID:  PD24926

          2. Support statement for custom rules with SIEM Technical Articles ID:  KB84428

          3. How to use and modify SIEM parser rules Technical Articles ID:  KB82562

          • 2. Re: SIEM users parsers
            rorik.koster

            The short answer to your question is "no" the SIEM won't be able to figure this out on its own, you will need to wrangle the data a bit.

             

            You may accomplish this type of tracking by (1) parsing the data correctly or (2) enriching the data using the correct fields with an appropriate lookup table.

             

            The fields that you're describing are likely from multiple disparate data sources that parse the user information into different fields.  For example, your AD logs are likely parsing user name (domain\user) into the Source User field by default while your e-mail addresses (from Exchange/FireEye/etc) are likely parsing user name (user@domain) into the Destination User field.  In these examples you could modify the AD log parser to match the domain and username separately with a regex of (?P<domain>[^\x5c]+)\x5c(?P<user>[^\s]+) and store the matched user name in a new Custom Field that is setup as a String (lets just call it UserName).  The e-mail log parser could be modified to match username and domain separately with a regex of (?P<user>[^\x40]+)\x40(?P<domain>[^\s]+) and store the matched user into the Custom Field UserName.  This way you may be able to pivot off of or correlate a malicious inbound e-mail with the same user going to a suspicious domain.

             

            You could also perform data enrichment on the appropriate fields of those data source using an LDAP query to pull back additional user information and then pivot or correlate off of the enriched data, however we have had much greater success with parsing the information into the appropriate fields first.

             

            As a note, be aware of case sensitivity when storing the fields; for example if you did parse fields into UserName please know that to the SIEM John.Smith@domain.com => John.Smith is not the same as domain\john.smith => john.smith.

             

            I hope this helps get you headed in the right direction.

             

            Best Regards,

            Rorik