Requirement: MySQL Workbench.
OSSIM object model:
Database Name: alienvault_siem | Table Name: extra_data
OSSIM drops all information into extra_data and you will need to filter the events in this table as shown below:
We will use the query below to query by username:
[shell]SELECT * FROM alienvault_siem.extra_data where username like ‘%<username>%’;[/shell]
Note how event_id is a blob and specific for OSSIM, this is encrypted and cannot be encrypted for viewing.
Userdata3 is the event type.
Userdata4 is the event id.
Data_Payload tells us the actual event.