5 Replies Latest reply on Aug 18, 2016 4:33 AM by xded

    Correlation Rule with Group by 2 Fields

    mehmetemin

      Hi,

      I have a question about correlations.

       

      I want to correlate 2 events/rule with in a rule. But i cannot group by with source user field. Because I have DC datasource (comes source user information for ex: abc ) at the other hand EXCHANGE datasource (comes source user information with abc@bla.com ) So i mapped the source user to a regex custom field named "step_name"  and i've used it at my 2nd rule which datasource is EXCHANGE.

      I've configured sequence with 15 mins.

       

      You can see  a sample about correlation:

       

      Thanks for your support.

       

      Note: I couldn't change the DC parsing  (about mapping to the "source user" to "Step_Name" so i have to group by source user like "abc" not "abc@bla.com"

        • 1. Re: Correlation Rule with Group by 2 Fields
          xded

          Hi @mehmetemin ,

           

          u can enrichment your Events by connecting your Domain Controller with the ESM after this you can correlation on e-Mail or something else.

          Follow these steps.

          1. Go to System Properties for ESM in the top right

          2. In the new menu go on the left side to Data Enrichment

          3. Add

          Tab: Main

          • Enrichment Name: Real_Name_from_User_ID
          • Enable: Yes
          • Lookup Type: String
          • Enrichment Type: String
          • Pull Frequency: Daily At Specified Time

           

          Tab Source:

          • Type: LDAP
          • IP-Adresse: IP-Address from the AD Server
          • Username: Domain\user_id
          • Password: The Password

           

          Tab Query

          • Lookup Attribute: sAMAccountName (or you can use the E-mail Address but i dont know this AD Attribute. This is a example for the realname from the AD)
          • Enrichment Attribute: displayName
          • Query:
            • (objectClass=person) (

           

          Tab Destination

          • Add
          • choose th Receiver
          • Lookup Field: Source User
          • Enrichment Field: Contact_Name
          • OK

           

           

          After this you can group by Contact_Name (E-Mail Address) in your Correlation

          • 2. Re: Correlation Rule with Group by 2 Fields
            mehmetemin

            Hi @xded,

            Thanks for your interest.

            I've tried to do that but my knowledge is not enough about

            "

            Tab Query

            • Lookup Attribute: sAMAccountName (or you can use the E-mail Address but i dont know this AD Attribute. This is a example for the realname from the AD)
            • Enrichment Attribute: displayName
            • Query:
              • (objectClass=person) ("

            Could you explain this field please. Thanks.

            BR

            • 3. Re: Correlation Rule with Group by 2 Fields
              xded

              Hi mehmetemin,

               

              the "Lookup Attribute: sAMAccountName" is a Active directory value you can see these values if connect your AD explorer tool with your AD.

              the "Enrichment Attribute: displayName" is the SIEM field you want to fillup with the real name or E-mail or what ever. You can chose more than this field. More fields are in costume type in your SIEM.

              the "Query: (objectClass=person)" is the exact query value for the AD attribute sAMAccountName so if you want your E-mail from the AD you need an other Query for that. But i cant help you with that because each AD is different.

              • 4. Re: Correlation Rule with Group by 2 Fields
                mehmetemin

                Hi xded;

                Thanks for your support.

                BR.

                • 5. Re: Correlation Rule with Group by 2 Fields
                  xded

                  Your Welcome =)