Enriching events with additional data

In the previous article, we examined Additional Data fields and how to use them. But what if events do not have needed/required/necessary information even in Additional Data fields?

You may always face the situation when events in ArcSight don’t contain all needed information for Analysts. E.g., user ID instead of username, host ID instead of hostname, etc.

Certainly, you can get out of this situation by using Active List in analytics and add required data to alert/correlation event. But things are a bit worse regarding event search, investigation because events still contain only IDs.
Thus, we need a feature to enrich events before they are ingested to ArcSight database. Guess what, ArcSight has got a way to do this. Even several ways. And I’ll try to describe them all.

Let’s imagine we have event source, Physical Access System (PAS), and by default events from this source have only User ID and no Usernames.
And even for a simple use case that notifies us about successful authentication on domain controller for the employee who is physically not in the building we need usernames in PAS events.

Enriching events with pre-persistence rules

The first way is to use pre-persistence rules.
Pre-persistence rules include a small set of features to enable basic event analysis and the setting of various event fields, therefore enriching these base events, before the events themselves are persisted in the database.
So general usage scenario would be:

1. Create Active List with User ID to Username matches. With User ID as a key field.
2. Create pre-persistence rule. Define Conditions, in our case PAS events. Go to Local Variables and create GetActiveListValue variable. Specify Active List from step 1, select field that contains user ID (let’s assume Destination User ID). This variable gets Username corresponding to User ID from Active List.
3. Go to Actions tab and on ‘On Every Event’ trigger add ‘Set Event Field’ action. We want Destination User Name field to be enriched with Username from Active List. So select newly created variable (from step 2) next to Destination User Name field. So action should look like the following:
4. Save rule. Deploy this rule as Real Time Rules.

All new events will be enriched with usernames from Active List.
This scenario has one point you need to keep in mind. That is updated Active List with fresh information.
Events with the user ID that doesn’t have matching username in Active List will have Destination User Name field blank.

In this article, we had insight into one of the several ways to enrich ArcSight events with the data needed to create efficient use cases and save effort during an investigation.

In the next part of this article, I’ll give two other ways to accomplish this challenge.
Stay in touch. Stay safe.