• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Asset visibility in SIEM EVENTS tab when on multi-entity infrastructure


Little green alien
We have a deployment consisting of 1 USM all-in-one in Datacenter A and a sensor in Datacenter B. As a result, we have 2 entities set up and each server/sensor receives the logs from their local systems respectively.


Our problem is that the systems on the datacenters often talk to each other (naturally) and when observing SIEM events... the source and destinations are only pulling the asset HOSTNAME from each entity and leaving the other unresolved (IP:port only).


On this screenshot you can see that in the SOURCE it shows IP:PORT instead of hostnames (in yellow) even though each and every one of those are entered in our ASSET database. If I reverse the query to the other entity... i will see the opposite... the Hostnames were you see IPs and vice-versa.

After a lengthy AlienVault support ticket, they said this is by design. I honestly believe it would be more useful if the SIEM could populate source and destination fields using the ASSET data that we entered and discovered. I understand that there are two different entities that serve a purpose, but preventing the SIEM from presenting the detailed information shouldn't be one of them, on the contrary.

I hope AV dev team agree with me and can work on adding this feature?

Share post:


Sign In or Register to comment.