Window event Log correlate with AD user info enquiry

Peter_Ch · July 2, 2021, 7:03am

Dear All,

I'm new to Elasticsearch. I am finding a solution that can help to perform log correlation. Here's my situation.

I have a application using window event as log. In the window event log, it includes user name and action etc. I would like to know if Elastic can get the Active Directory user info (e.g. display name, department etc.). After that, correlate with the application window event log to show the user belong to which department. Sounds like join function.

Thanks

Best Regards,
Peter

grumo35 · July 2, 2021, 7:29am

Hi,

The best i can think of is using the logonGUID or the UserID to match data across different data sources you could look into Aliases API | Elasticsearch Guide [7.13] | Elastic

Now would you like to show the data through a dashbord or have active correlation query ?

Peter_Ch · July 5, 2021, 4:57am

Hi grumo,

Let say I have a win event log include user name Tom. I have a csv file that include name and department e.g. Tom | Accounting. after I add the log and file to elasticsearch, how can I match boths log source and show the win event log Tom is under Accounting?

Thanks

Best Regards,
Peter

warkolm · July 5, 2021, 6:08am

You would ideally add that data to the event during ingestion.
Alternatively you can run a transform to put data into a user centric index like in How to use transforms to track your most recent customer orders | Elastic Blog

Peter_Ch · July 5, 2021, 7:59am

Dear Mark,

Thanks for your info but i don't need group by. For an example, I want the table can be shown as below. the field user and eventid are come from win event log, the field department is com from a csv file. Thanks

User eventid department
Tom 5053 Accounting

Best Regards,
Peter

system · August 2, 2021, 8:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.