Correlation Problem for User Tracking - Need Help


I want to create correlation rule for user tracking, and I need help with to do this correlation. I created a rule however it didn’t work. I summarized the case below with screenshots.

  • On this case there are 3 types of logs; first and second logs are IIS logs (IISLog01 and IISLog02), third log is a security device log (FWLog)
  • What I want to do is
    (IISLog01’s “source translated address” and IISLog02’s “Attacker Address” is same)
    (IISLog02’s “Source  User Name” and FWLog’s “Source User Name” is same)
    in 1 minute I want to see these logs in an active list under one correlated log.
  • I added screenshots about the that I wrote (I changed ip address and names)
  • This query returns with empty result.
  • I aggregated the only fields that I used in query because there are lots of field in events. I tried aggregate everything that I need but the result didn’t change.

arcsightcase01.PNG arcsightcase02.PNG arcsightcase03.PNG