This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
fikretbaydilli1
Commander
Commander
‎2016-03-22 10:44
272 views

Correlation Problem for User Tracking - Need Help

Hi,

I want to create correlation rule for user tracking, and I need help with to do this correlation. I created a rule however it didn’t work. I summarized the case below with screenshots.

  • On this case there are 3 types of logs; first and second logs are IIS logs (IISLog01 and IISLog02), third log is a security device log (FWLog)
  • What I want to do is
    if
    (IISLog01’s “source translated address” and IISLog02’s “Attacker Address” is same)
    and
    (IISLog02’s “Source  User Name” and FWLog’s “Source User Name” is same)
    in 1 minute I want to see these logs in an active list under one correlated log.
  • I added screenshots about the that I wrote (I changed ip address and names)
  • This query returns with empty result.
  • I aggregated the only fields that I used in query because there are lots of field in events. I tried aggregate everything that I need but the result didn’t change.

arcsightcase01.PNG arcsightcase02.PNG arcsightcase03.PNG

Labels (2)
Labels
0 Likes
Reply
Report Inappropriate Content
2 Replies
Shaun
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2016-03-22 11:17

Are the timestamps on the logs all correct?

0 Likes
Reply
Report Inappropriate Content
fikretbaydilli1
Commander
Commander
‎2016-03-22 12:10

Yes, they are correct.

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.