Attention
By clicking proceed, you will be redirected from this site because of the impossibility of working with this site without allowing a cookie.
Cancel Confirm
My account
Exact matches only
Search in title
Search in content
Search in posts
Search in pages
Search in:
Blog
News

Enriching events with additional data


531
October 19, 2017

In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields?

You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of hostname, etc.

Certainly, you can get out of this situation by using Active List in analytics and add required data to alert/correlation event. But things are a bit worse regarding event search, investigation because events still contain only IDs.
Thus, we need a feature to enrich events before they are ingested to ArcSight database. Guess what, ArcSight has got a way to do this. Even several ways. And I’ll try to describe them all.

Let’s imagine we have event source, Physical Access System (PAS), and by default events from this source have only User ID and no Usernames.
And even for a simple use case that notifies us about successful authentication on domain controller for the employee who is physically not in the building we need usernames in PAS events.

 

Enriching events with pre-persistence rules

 

The first way is to use pre-persistence rules.
Pre-persistence rules include a small set of features to enable basic event analysis and the setting of various event fields, therefore enriching these base events, before the events themselves are persisted in the database.
So general usage scenario would be:

  1. Create Active List with User ID to Username matches. With User ID as a key field.
  2. Create pre-persistence rule. Define Conditions, in our case PAS events. Go to Local Variables and create GetActiveListValue variable. Specify Active List from step 1, select field that contains user ID (let’s assume Destination User ID). This variable gets Username corresponding to User ID from Active List.
  3. Go to Actions tab and on ‘On Every Event’ trigger add ‘Set Event Field’ action. We want Destination User Name field to be enriched with Username from Active List. So select newly created variable (from step 2) next to Destination User Name field. So action should look like the following:
  4. Save rule. Deploy this rule as Real Time Rules.

All new events will be enriched with usernames from Active List.
This scenario has one point you need to keep in mind. That is updated Active List with fresh information.
Events with the user ID that doesn’t have matching username in Active List will have Destination User Name field blank.

In this article, we had insight into one of the several ways to enrich ArcSight events with the data needed to create efficient use cases and save effort during an investigation.

In the next part of this article, I’ll give two other ways to accomplish this challenge.
Stay in touch. Stay safe.

 

Ruslan Mihalev

Ruslan Mihalev

Chief Customer Officer at SOC Prime
Ruslan Mihalev

Latest posts by Ruslan Mihalev (see all)

Related Posts

Active Lists in ArcSight, automatic clearing. Part 1
Splunk. How to make color table rows based on conditions.
Petya.A / NotPetya is an AI-powered cyber weapon, TTPs lead to Sandwor...
Historical Correlation
What is network hierarchy and how to use it in IBM QRadar
MENU