Make a small change to both rules and assign the usernames to an additional common field as well as the existing field, maybe something like Contact_Nickname. Do the match on this field in the rule.
This preserves the existing data but is still ugly.
Yeah might give that a go acommons, it would be nice if there were a usable field similar to "IP Address" which could match on either.
I think that PER has been submitted by a few people including myself a few years ago.
Username is not the only item that can switch between source/destination or subject/object status so a more generic solution is needed.
Check out the "Override Group by" option in the correlation rule definition.
It looks like it might do what you want without messing with the parser. It's documented in the Product Guide.
I couldn't find any reference to Group By override in either the 9.5 or 9.3 product guide.
I have tested this functionality and it doesn't appear to work (This was only tested on a Historical correlation engine, might work differently). I used the following to test and it did not correlate.
Correlation Rule Group By - Destination User
Event 1 - AD event with me as destination user
Event 2 - VPN event with me as source user (Group By override - Source User)
These two filters are within a sequential AND rule with 1 hit in 4 hours.
Is there anything you can see that I have missed?
1 of 1 people found this helpful
It's documented in the 9.6 Product Guide, link below.
Text shown below:
Override Group by
If you have set a correlation rule to group by a specific field, you can override one of the components
in the rule to match on a different field.
For example, if you set the Group by field in a correlation rule to Source IP, you can override a component
of the rule to use Destination IP. This means that all events have the same source IP except the events
that match the overridden component. Those events have the same destination IP as the source IP of
the other events. This feature is useful to look for one event going to a particular destination followed
by another event that originates from that destination.
For details about product features, usage, and best practices, click ? or Help.
1 On the ESM console, click the Policy Editor icon .
2 Click Correlation in the Rule Types pane, select a rule, then click Edit | Modify.
3 Drag and drop the Match Component logic element in the Correlation logic area, then click the menu
icon , or click the menu icon of an existing Match Component element in the Correlation logic area.
4 Select edit, click Advanced Options, then select Override Group By and click Configure.
5 On the Configure Group By overrides page, select the override field, then click OK.
Awesome, didn't check that guide cos we are on 9.5.2. Have done some testing and Group By override does not appear to work in 9.5.2. I am going to raise an SR to confirm this with support.