I posted this in the content section on the ArcSight user forums (and if you are ArcSight client you are reading them right...?) but I haven't been able to take anything with antihisimine for the last week and won't be able to until after my alergy test on Monday so feeling mis-er-a-ble.
Hopefully your SIEM is capturing the reason/status/substatus codes when it comes to failed Windows login events. In ArcSight that data is generally found in deviceCustomString4. We recently had to create a series of reports that were being passed to some folks outside the more technical group who would normally just look at the codes.
To make the reports more readable I did a copy/paste job from the GREAT resource over at Ultimate Windows Security - the event encyclopedia. Then created an active list with 2 string fields making sure to index the one with the code. You do that so in your report query you can use the variable allowing you to grab a value from an active list basically doing a join. Since this calls for a string comparison with letters I chose to make the data in the AL lower case and then use another variable to take the data from customString4 and make it lower case as well. Then in your query field selection if you look under the variable section you should see BOTH fields from the Active List. Select the normal fields you want and include the unindexed field from the active list and just clean it up using the alias field in the report.
Worked like a champ though given my current state it might read like a train wreck.
No comments:
Post a Comment