fabiomachadosan Absent Member.
Absent Member.
271 views

Active Channel

Messrs. Good afternoon.

I have a problem in ArcSight tool to generate information, where I click with right mouse button on top of the connectors Domain controler and select the item "Creat Channel With Filter" and is generated "Active Channel" does not appear any information in the field "Atacker user name" how do I bring up this information.

Arcsight.jpg

Sincerely Yours

Labels (1)
0 Likes
8 Replies
Jurgen
Visitor.

Re: Active Channel

hi fabio,

Look, add the field "target username" there it's in.

Kind regards,

Jurgen

0 Likes
fabiomachadosan Absent Member.
Absent Member.

Re: Active Channel

hi Jurgen

I want to appear the Attacker user name information.

Fábio Sanches

0 Likes
Honored Contributor.. yurlov.a Honored Contributor..
Honored Contributor..

Re: Active Channel

Hi guys

Fabio, as I see, you want active channel to show AD information about related with target username field account  (for example, person full name). In this case, you should use additional  tools for exporting AD info in text file (for example, script). Import this file via file flexconnector, create active list with rule to fix AD info, define get_from_active_list variable.

ArcSight WinUnified reads logs from Windows Security Journal. You can't get this information [Attacker User Name] if it isn't there.

Alexander

0 Likes
fabiomachadosan Absent Member.
Absent Member.

Re: Active Channel

hi Alexander

As the attached image field (Attacker User name) this blank, but some days ago there was information in this field, the evidence is attached to the receipt of the log above.

Note: My doubt is because it has not this information in the connector when I run "Creat Channel With Filter" and is generated "Active Channel or where can I check the receipt of this log or what the parameter is or can I check to bring the information again.

Below is the information from the previous receipt of this information (Atacker User Name), and then stopped when bringing the information.

18/01/2015

Obs: In the image below the (Attacker User Name) appears to information includes red risk for confidentiality account

Attacker username 2- .jpg

25/02/2015: after the date entered the top information (Attacker User Name) Will not appear moreAttacker username 1- .jpg

0 Likes
Honored Contributor.. yurlov.a Honored Contributor..
Honored Contributor..

Re: Active Channel

Hi Fabio

If you want to check connector bringing the information, make a report for period 18/01/2015 - 25/01/2015. Then check Windows Journal on AD server. Maybe you will find the problem.

Alexander

0 Likes
fabiomachadosan Absent Member.
Absent Member.

Re: Active Channel

Hi Alexander,

I'm thinking it may be another problem because the connector does not bring the information attacker User Name and when I run a dashboard appears the attacker user name information.

The doubt is because the connector will not appear on the dashboard and the information appears.

0 Likes
jesbas Absent Member.
Absent Member.

Re: Active Channel

Are you comparing the same event ID's ?!?

I'm pretty sure event ID 4634 doesn't generate 'Attacker User Name'

0 Likes
fabiomachadosan Absent Member.
Absent Member.

Re: Active Channel

Yup

I'm sure, as reported previously in prints the information presented.

Att

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.