Understanding Session Correlation

You can leverage ArcSight-provided resources (pre-defined Session Lists and Rules) or develop customized session lists to use for identity correlation, as described here.

How session correlation works:

Session correlation captures and records session-related data in a user-defined list, where it can be used by ESM's correlation engine to:

• Resolve event endpoints against DHCP sessions to identify which device was located at the reported IP address at the time of the event.

• Use existing maps that link MAC addresses or host names to users, if available.

• Attribute actions originating from a specific device to its owner.

• Extract and resolve user information from VPN logins, including the VPN user name and session characteristics.

• Track who accesses a given network node at a given time to trace events that originate from this device to users that were logged in at the time.

Session correlation is a three-step process that involves three or more ESM resources.

You define a session list, then create a rule to populate it. The results written to the session list can be used anywhere variables are used, such as to trigger other rules, or to populate active channels, dashboards, and reports.

The high-level steps are:

1. Create a session list (as described in Creating or Editing a Session List).

2. Create a rule to populate the session list (as described in Creating a Session List Rule).

3. Use the session list output wherever needed (as described in Using the Session List Output).

See also Example: Using Session Lists to Correlate Session Data on User Logins for a walkthrough of creating and populating a session list with Windows session information.