Hello,
As part of a project or rather as a proof of concept, we are trying to take data from two inventory systems, Ocs and Altiris to link them with Active Directory logs.
In Ocs and Altiris I have the inventory of my devices whether they are pc's smartphones where the user connects to our client's services.
It is easy to take the data with winlogbeat from the domain controllers and inject it into ElasticSearch, but the complicated thing is when I have to link those login entries with the data that I could take from the inventory systems of Ocs and / or Altiris.
What is sought is to know if the device from which the user connects is registered in the inventory of Ocs or Altiris (but do nothing about it if it is not), this query would be in Kibana with a dashboard or Something similar.
It also seeks to know if that device was discharged from any of the inventory systems and the reason.
What we came up with for this was to "denormalize" the Ocs and Altiris databases and inject them into a "macro" index in elasticsearch using "left joins", but we don't think it's the most appropriate way.
We have seen, however, that extensions like OpenDistro allow you to assemble queries of the sql type to link indices, but it is restricted to only two.
Another option we found was to make this "join" index with Siren, but we don't know it in depth.
We know that with Splunk this can be done, since it allows joins between indexes, but precisely the objective is to use the ELK stack instead of Splunk.
Maybe our solution is not the best and we do not know in depth the ELK stack, but if anyone has any suggestions or comments would be welcome! 