You need to know who is generating the events on your network before you can begin to do user behavior analysis or detect anomalous activity. By “who”, I mean both the user account and the computer or device.
But this is by no means easy because so many of the logs we deal with are collected at the network level and only bear IP addresses. When you see an internal IP address, you need to know if it’s a printer, network device, appliance, server or workstation or something else. If it’s a server, what kind of server, OS, and its workload and applications. If it’s a workstation – whose workstation. What department are they in? Job title? Manager? And of course, IP addresses aren’t static – especially with workstations using DHCP.
In this webinar, we will look at how to correlate logs from your DHCP server, logs and data from DNS servers, and LDAP identity information from Active Directory to answer these questions.