Accurately Associate Assets and Users to Security Events

Aura accurately associates assets and users to your security events over time.

Security teams spend a huge amount of time during investigations trying to figure out the users and assets associated with their security events. With Aura, we can perform this investigation in just seconds, thanks to Aura’s built-in asset activity history.

The Forensic Activity Search view in Aura lets us investigate any IP, User or Host over a specific time frame and see all the associated log events, whether or not they contain a hostname or user.

Associating Assets with Firewall Events

In this example, we know from our firewall logs there was an incident on Friday between 2-3pm and that a particular IP address was associated with that incident but we have no idea about the users or assets associated with those events, as the firewall logs only contain an IP address.

We enter in a time range for Friday between 12pm and 5pm, select our cisco:asa firewall sourcetype, and the IP address we are investigating ( Aura will now go through all the Cisco firewall events during the selected time frame and accurately match up the asset and identity associated with each event at the exact time of the event.

In the top table we see a chart mapping the Cisco firewall event for this IP over the selected time range. In the bottom table we see the Cisco events grouped by our selected 5 min time span and note that Aura has associated the host and user for each time span. We can select the more exact incident time-frame of 2-3pm and see the user at this time is dwalter. 

Associating Assets with Firewall Events

We can click on one of these rows to get more detail. The pop-up modal shows the raw cisco firewall events, which only contain IP address, but under each event we see details about the associated user and assets. So here we can see the asset is a Windows 10 workstation machine used by user dwalter. 

raw cisco firewall events

Associating Users with Any Event

Now we know the user associated with our firewall events, we can modify our search criteria to search across all our events looking for any other activity for this particular user, during the same time frame. 

Associating Users with Any Event

The results now show some Bluecoat proxy activity as well as the Cisco firewall activity. If we click on a bluecoat row in our results table we can see the raw bluecoat events, which also only contain IP and indicate some external fire sharing to DropBox. 

raw bluecoat events

Aura has again associated or matched the user and asset and other asset details with each event.

As we can see, Aura makes accurately associating assets and users to your security events over any time frame simple, and helps to greatly reduce time and effort during your security investigations and incidents.

Aura Asset Intelligence runs on Splunk. If you would like to find out more or to get a demo or free trial, please contact us us today.