• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Custom Plugin to associate users with assets - idm_data

laitha0laitha0

Entry Level
Hello,

I wrote a powershell script to query each server for Administrators. The script syslogs the information back to the Alienvault where this plugin picks it up. The Plugin is parsing the data correctly but it is not doing what I was trying to do initially. I am trying to populate the "Users" property under each asset, from what I understood this information is stored in idm_data but the plugin is not populating it... instead everything just goes in acid_event table.

Here is the plugin, I have tried many keywords and username+domain formats, but neither are working.

Thanks in advance


# Plugin cus-server-audit id:9003 version: 0.0.1
# Last modification: 2014-08-04 11:00
#

[DEFAULT]
plugin_id=9003

[config]
type=detector
enable=yes

source=log
location=/var/log/ossim/cus-server-audit.log
create_file=false

process=
start=no
stop=no
startup=
shutdown=

[Server Audit]
regexp="(?P^\D{1,3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2})\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\sPowerShell_ISE.exe:\sServer\sAudit\s\[(?P\w+\s*)\]\sServerName:\s+(?P\w+)\s+ServerIP:\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+Domain:\s+(?P\D+\.*)\s+UserName:\s+(?P\w+\.*\w+)\s+UPN:\s+(?P(.)*@(.)*)"
event_type=idm-event
plugin_sid=1
date={normalize_date($Date)}
ip={resolve($HostIP)}
username=$CONCAT($UserName,|,$Domain)
userdata1={$AuditorIP}
userdata2={$LogLevel}
userdata3={$HostName}
userdata4={$HostIP}
userdata5={$Domain}
userdata6={$UserName}
userdata7={$UPN}

Share post:

This discussion has been closed.