That part now works. MemberName is now populated in alert generating events based on manually updating custom index. Now I need to get the incoming events to add the MemberSID and MemberName to the custom index. That was the original problem prior to discovering that the mapping was incorrect.
Apologies... I am not following...
When you say "custom index" is that the enrich lookup index or something else?
Are you to figure out how to keep the lookup inventory up to date?
Correct. As new event code 4720s come in, I want to pull the SID and Name and add them to the custom index. That enables the enriching process to add the MemberName to the alert generating event.
And yes, that is the enrich lookup index
Easier Said then done....
You could look at using a latest transform and pass the incoming data through it...
Use the Event code as the primary data field and it will build up database of all the events etc... Then you could perhaps use that the basis of your enrich data
Go to Kibana -> Management -> Transforms and try to set it up latest see if that helps...
I'll take a look at that. Thanks.
I'm not sure transforms will work from the way I understand them from reading the reference. The data enrichment is very time sensitive. The 2 events I need are the account creation event (4720) and the user-added-to-privileged-group event (4732). I need to add the MemberName to the 4732 event to filter it out when the Kibana rule evaluates it. The time difference in the 2 events are below. Less than .05 seconds.
4720 event time 15:50:42.968
4732 event time 15:50:42.981
So I think this is something that has to happen on the ingest side. Is that correct?
Yeah that is not a transform use case...
Perhaps ... but I don't think that is feasible ingest does not work that way
This seems like it is on the alert detection side have you looked at the EQL
I think I would open a new topic against the Security SIEM category and show your sequence of events and what you want and do not want...
I would be explicit about your use Case and What you want to accomplish and do not assume that it involves enriching one document with another...
No one from Security will look at this topic...
Sorry for the side track... but I think you are looking at a EQL detection, I could be wrong I am not an exported with EQL (used for sequential events detection)
Also any chance you can upgrade from 8.0.0 to say 8.14.3 ? That might
help
Thank you for all the help. I'll post on that forum and see what i get.