Dear All,

I have two problems as following:
1. I have write a correlation rule as following:
filter((((e.CollectorPluginName = "Microsoft Exchange POP3") and
(e.EventName = "pass")) and (e.XDASOutcomeName = "XDAS_OUT_FAILURE")))
flow window(((w.SessionID = e.SessionID) and (e.SourceIP =
w.SourceIP)),filter((((e.CollectorPluginName = "Microsoft Exchange
POP3") and (e.EventName = "user")) and (e.TargetNewResourceName inlist
sensitiveuser))),120) flow
trigger(5,120,discriminator(e.SourceIP,e.TargetNew ResourceName))

I have following problem:
I will call the first filter event as A event, the second filter event
as B event, the first filter corresponding log include username field
named TargetNewResourceName, the second filter event also called as
storaged event,
but B event log does not include username field, so I don`t know who
logon failed, so i need gain the username from A event, there is same
sessionID between A and
B, customer`s demands need know who logon failed when user logon to
pop3 mailbox failure three times, so correlation results is following:
username: $TargetNewResourceName$ logon to mailbox failure via pop3 at
least 3 times in two minutes, sourceip: $SourceIP$,
MacAddress:$CSOTSourceMac$,Please pay
attention to it!
But correlation result is following:
username: Null logon to mailbox failure via pop3 at least 3 times in two
minutes, sourcip:, MacAdress: 247703743F34,Please pay
attention to it!
There is no username value($TargetNewResourceName$), why?

2. I know arcsight active list(same as sentinel dynamic list) support
multiple fields in one table, but sentinel dynamic list only support
alone value,
if I want storage ip and macaddress for DHCP logs into one table, How to
implement? and that I also correlation rule can invoke function same as
get_ipaddress or
get_dhcpaddress in arcsight, Does sentinel provide same function?


steve_zeng's Profile:
View this thread: