Trying to create rules on elastic siem to map AD user information on another index

Hello All,

I am importing event code 6273 from our NPS server and we have a rule set to alert us for the below condition. hosted on index:

5 Failed logins with in a span for 5 minutes throw in an alert.

Here we have employee code that we use as user name so the siem signals field has the code number.

We used a python script to export Active directory attributes to a CSV and created an index with those details to the index below.

called aduser-xxxx

We want to populate the first name and last name present in the aduser-xxx index to the siem signals index.

Can we do that?

Please advise.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.