ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
arcsightisdabes
Absent Member.
Absent Member.
‎2010-10-29 17:35
139 views

Populating base events with Active List data

I have rules in place that are tracking VPN users logging on and off the network. Their IP and associated username are being stored in an Active List. Right now if an analyst needs to know what username is associated with the base events they are investigating then they have to open the Active List and look it up.

What I'd like to do is have my connectors read the Active List and if the Source IP of the base event matches an IP in the Active List, then populate a DeviceCustomString field with the VPN username. This would save a lot of time during investigations.

I know that you can use a static map file for connectors to reference, but that won't work for me as this Active List changes hundreds of times a day. I also know that I could use a rule in ESM to populate correlated events with the Active List content, but I'm really looking to add more data to base events.

Has anyone had any luck doing something similar? Thanks in advance!

Labels (2)
Labels
0 Likes
Report Inappropriate Content
1 Reply
Randy.Paxton
Absent Member.
Absent Member.
‎2010-11-04 18:52

I'm trying to do something similar as well:

https://protect724.arcsight.com/message/15278#15278

0 Likes
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.