Unable to use "username" in Multi-Threading
I'm trying to set a correlation based on "C_Username" variable at the multi-threading menu.
I cant find this specific variable nor "username" variable in the multi-threading feature.
Has anyone faced this issue before ?
To use variable as a thread key, all messages choosen in all statements must have this variable defined. To be shure that variable is present you may use additional condition in each statement, and specify what are variables of your interest.
I am using a single messageid for a single device type.
It used to show up, until upgrading to version 4.0 SP2.
I think someone from RSA told me before that they had some kind of a change in the Multithreading system...
Does it show you any variables other than the default for multi-threading?
Also, can you provide more information? What device type? Which MessageID? Are you using device group or device class?
For example when trying to set up a correlation with:
on windows devices, looking for event id's :
I can see an error in the multi-threading which says that field "c_user_name" doesn't exist.
When trying to select a variable, I don't have the most obvious fields: "username" and "c_user_name".
I cannot create this correlation... which is suppose to look for massive "password reset" in the AD.
Since you are using Security_628_Security and Security_628_Security:01 events you cannot multithread on username or c_username as both the events don't have these variables. Only Security_628_Security event has these. Since the key for multithreading is that all the selected events must have the variables in common it is not showing the username variables. It's allowing you to pick event_log and data variables because both the events have these in common. Hope I was able to help you.
Hello.. sorry to takeover the thread.
If we have two statements and the variable username is not present on the second and we chose to multithread on the first, won't it work anyway?
This can only be done specifying the multi-threading key by manually editing the XML.