Requirement: MySQL Workbench.

OSSIM object model:

Database Name: alienvault_siem | Table Name: extra_data

OSSIM drops all information into extra_data and you will need to filter the events in this table as shown below:

We will use the query below to query by username:

[shell]SELECT * FROM alienvault_siem.extra_data where username like ‘%<username>%’;[/shell]

Note how event_id is a blob and specific for OSSIM, this is encrypted and cannot be encrypted for viewing.

Userdata3 is the event type.

Userdata4 is the event id.

Data_Payload tells us the actual event.