Tracking User Activity Across a Very Busy Network
Hi all! While still somewhat new to ArcSight, I've been tinkering with the product as much as I can in an effort to determine how we can make the most use of it. One such use case I have come up with, mostly for demonstration purposes, but will also have real-world applications, is ultimately, tracking user's who click links in phishing emails.
The log sources we have for this use case are as follows:
- Firewall Traffic
- Windows Event Logs
- Web Portal Logs
- DHCP Logs
- ACS Logs
Use-Case Scenario: A user falls victim to a phishing email. They click a link and enter their credentials. At some point in time, this user's account may be involved in a "suspicious" login against our online web portal.
Once the victim clicks the link (the IP of this link is in an ActiveList), the sourceAddress (victim) and destinationAddress (Phishing site) areadded to ActiveList #1. What I need now is to convert the sourceAddress into the victims username. In our case, this information can be found in the following ways:
- Wired Traffic
- Compare the sourceAddress with the Windows Event Logon Logs. Where sourceAddress=destinationAddress, grab the destinationUserName.
- Add the destinationUserName (victim username) along with the phishing site address to ActiveList #2.
- Wireless Traffic
- Compare the sourceAddress with the DHCP server logs. Where sourceAddress=sourceAddress, grab the MAC Address that was assigned the sourceAddress.
- Using the MAC Address found in step 1 above, compare that against ACS Logs. when MAC Address=ad.Calling-Station-Mac-Address, grab the victim username.
- Add the victim username along with phishing site address to ActiveList #2.
If any of the usernames from the ActiveList #2 are found to login to our web portal from outside the US, add the account and attacker IP address to ActiveList #2.
My main question/concern with all of the above is this: In order to perform the above, in real time, I would have to track upwards of 50k IP addresses every day. Is anyone currently tracking this much activity? It also seems quite difficult to have to compare multiple log sources against each other to find the needed IP/username information (see the Wireless Traffic example above). What's the best method to go about this? Thank you for any help!