Anonymous_User Absent Member.
Absent Member.
288 views

[sentinel] correlation problem and dynamic list


Dear All,

I have two problems as following:
1. I have write a correlation rule as following:
filter((((e.CollectorPluginName = "Microsoft Exchange POP3") and
(e.EventName = "pass")) and (e.XDASOutcomeName = "XDAS_OUT_FAILURE")))
flow window(((w.SessionID = e.SessionID) and (e.SourceIP =
w.SourceIP)),filter((((e.CollectorPluginName = "Microsoft Exchange
POP3") and (e.EventName = "user")) and (e.TargetNewResourceName inlist
sensitiveuser))),120) flow
trigger(5,120,discriminator(e.SourceIP,e.TargetNewResourceName))

I have following problem:
I will call the first filter event as A event, the second filter event
as B event, the first filter corresponding log include username field
named TargetNewResourceName, the second filter event also called as
storaged event,
but B event log does not include username field, so I don`t know who
logon failed, so i need gain the username from A event, there is same
sessionID between A and
B, customer`s demands need know who logon failed when user logon to
pop3 mailbox failure three times, so correlation results is following:
username: $TargetNewResourceName$ logon to mailbox failure via pop3 at
least 3 times in two minutes, sourceip: $SourceIP$,
MacAddress:$CSOTSourceMac$,Please pay
attention to it!
But correlation result is following:
username: Null logon to mailbox failure via pop3 at least 3 times in two
minutes, sourcip: 10.108.54.50, MacAdress: 247703743F34,Please pay
attention to it!
There is no username value($TargetNewResourceName$), why?

2. I know arcsight active list(same as sentinel dynamic list) support
multiple fields in one table, but sentinel dynamic list only support
alone value,
if I want storage ip and macaddress for DHCP logs into one table, How to
implement? and that I also correlation rule can invoke function same as
get_ipaddress or
get_dhcpaddress in arcsight, Does sentinel provide same function?

thanks


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48076

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: [sentinel] correlation problem and dynamic list

This sounds like a Sentinel product, vs. Sentinel plugin, issue. Please
post it in the Sentinel list on forums.netiq.com to get exposure to the
largest group of people who may be able to help. This list is
specifically for plugins.

Also, when posting in the other list, if you can post the raw data from
each of the events that may help others understand with which data you
have to work.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.