• Support
  • Forums
  • Blogs

Asset visibility in SIEM EVENTS tab when on multi-entity infrastructure

KyleKatKyleKat

Little green alien
+8
We have a deployment consisting of 1 USM all-in-one in Datacenter A and a sensor in Datacenter B. As a result, we have 2 entities set up and each server/sensor receives the logs from their local systems respectively.


assetvis2


Our problem is that the systems on the datacenters often talk to each other (naturally) and when observing SIEM events... the source and destinations are only pulling the asset HOSTNAME from each entity and leaving the other unresolved (IP:port only).







Assetvis1

On this screenshot you can see that in the SOURCE it shows IP:PORT instead of hostnames (in yellow) even though each and every one of those are entered in our ASSET database. If I reverse the query to the other entity... i will see the opposite... the Hostnames were you see IPs and vice-versa.

After a lengthy AlienVault support ticket, they said this is by design. I honestly believe it would be more useful if the SIEM could populate source and destination fields using the ASSET data that we entered and discovered. I understand that there are two different entities that serve a purpose, but preventing the SIEM from presenting the detailed information shouldn't be one of them, on the contrary.

I hope AV dev team agree with me and can work on adding this feature?

Share post:

Comments

Sign In or Register to comment.