3 Replies Latest reply on Sep 27, 2016 11:02 PM by yd9038

    Rule Correlation for F5 logs by session ID

    justinrank

      All the logs we get from F5 have a piece of info in each event but the one thing that is shared is the external session ID.  So we currently get an event when a user gets authenticated and then another event with the IP address and then another event with the url but they all have the same external session ID.  In order to create any type of alerts based on multiple logins from same source IP or other alerts these events need to be correlated into a single event.  I'm not sure if this is the default out of the box behavior for F5 and ESM but I would think ESM should already be configured to correlate these events based on the session ID.  How do I create a correlation rule to pull the source user from one event, source IP from another event, auth or no auth from another event when they all share the same external session ID?

      Thanks

        • 1. Re: Rule Correlation for F5 logs by session ID
          xded

          Hi Justinrank,

          if you add a new correlation rule you have a field named "Group By" with this field you can correlate all Events with the same Session ID into one Event. But you need also a correlation logic =) and this is a little bit tricky in this case.

          • 2. Re: Rule Correlation for F5 logs by session ID
            justinrank

            We have been able to get the correlation rule to pull in all the events with the same external session ID but we need it to fill in the username from one of the events and then the source and destination IPs from another event and so on into the correlation event but it is just adding the events and not populating the correlation event with the data from the other events.  Is there additional steps we need to do to pull this data into the main event?

             

            Thanks!

            • 3. Re: Rule Correlation for F5 logs by session ID
              yd9038

              Justinrank,

              I think I understand what you are trying to accomplish; you have two different events, one that provides the username and another one that provides the assigned IP address; and the external session ID is the common denominator.

              I'm not sure if SIEM can correlate both events and provide all fields (session ID, IP address, username) in one event, but I believe F5 can do exactly that, by iRules. The iRule will do that correlation on F5 and send the correlated event to SIEM.