Trusted Contributor.
Trusted Contributor.

Correlation Problem for User Tracking - Need Help


I want to create correlation rule for user tracking, and I need help with to do this correlation. I created a rule however it didn’t work. I summarized the case below with screenshots.

  • On this case there are 3 types of logs; first and second logs are IIS logs (IISLog01 and IISLog02), third log is a security device log (FWLog)
  • What I want to do is
    (IISLog01’s “source translated address” and IISLog02’s “Attacker Address” is same)
    (IISLog02’s “Source  User Name” and FWLog’s “Source User Name” is same)
    in 1 minute I want to see these logs in an active list under one correlated log.
  • I added screenshots about the that I wrote (I changed ip address and names)
  • This query returns with empty result.
  • I aggregated the only fields that I used in query because there are lots of field in events. I tried aggregate everything that I need but the result didn’t change.

arcsightcase01.PNG arcsightcase02.PNG arcsightcase03.PNG

Labels (2)
2 Replies
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

Are the timestamps on the logs all correct?

Trusted Contributor.
Trusted Contributor.

Yes, they are correct.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.