In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields?
You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of hostname, etc.
Certainly, you can get out of this situation by using Active List in analytics and add required data to alert/correlation event. But things are a bit worse regarding event search, investigation because events still contain only IDs.
Thus, we need a feature to enrich events before they are ingested to ArcSight database. Guess what, ArcSight has got a way to do this. Even several ways. And I’ll try to describe them all.
Let’s imagine we have event source, Physical Access System (PAS), and by default events from this source have only User ID and no Usernames.
And even for a simple use case that notifies us about successful authentication on domain controller for the employee who is physically not in the building we need usernames in PAS events.
The first way is to use pre-persistence rules.
Pre-persistence rules include a small set of features to enable basic event analysis and the setting of various event fields, therefore enriching these base events, before the events themselves are persisted in the database.
So general usage scenario would be:
All new events will be enriched with usernames from Active List.
This scenario has one point you need to keep in mind. That is updated Active List with fresh information.
Events with the user ID that doesn’t have matching username in Active List will have Destination User Name field blank.
In this article, we had insight into one of the several ways to enrich ArcSight events with the data needed to create efficient use cases and save effort during an investigation.
In the next part of this article, I’ll give two other ways to accomplish this challenge.
Stay in touch. Stay safe.