Hi Hanif,
I checked with the LEM connectors team and here are the fields we currently normalize for the most common events:
- r-host - Host
- s-operation - operation
- sc-status - status
- rule - Rule
- c-ip - SourceMachine
- r-ip - DestinationMachine
- s-computername - DetectionIP
- s-port - SourcePort
- r-port - DestinationPort
- cs-protocol - Protocol
- cs-uri - URL
- UrlCategory - Category
- cs-userName – SourceAccount
As you can see, "bytes" is not included.
Two things:
- Without the bytes field present, we can only go by the number of accesses to different URLs per user.
- Even if the bytes field were present in the event, there are no reports in LEM that accumulate bytes to create this type of report. It MIGHT be possible to do so with a full version of Crystal Reports (if we were to add the bytes to the event somewhere), but we don't have anything that does this today. LEM reports are strictly based on event counts.