Highlighted
nastroenie51 Absent Member.
Absent Member.
1605 views

Override Parser WINC

Jump to solution

Hi,

We have a problem with getting more information (changed user settings) of the 4738 events.

Raw Event : {"System":{"EventId":"4738","Version":"0","Channel":"Security","ProviderName":"Microsoft-Windows-Security-Auditing","Computer":"XXXXXXXXXXXXX","EventRecordID":"2008672290","Keywords":"Audit Success","Level":"Information","Opcode":"Info","Task":"User Account Management","ProcessID":"560","ThreadID":"4168","TimeCreated":"1473235959180","UserId":""},"EventData":{"Dummy":"-","TargetUserName":"XXX","TargetDomainName":"XXXXX","TargetSid":"XXXXX","SubjectUserSid":"XXXX","SubjectUserName":"Suvorov_adm","SubjectDomainName":"XXXX","SubjectLogonId":"0x7989eab9","PrivilegeList":"-","SamAccountName":"-","DisplayName":"-","UserPrincipalName":"-","HomeDirectory":"-","HomePath":"-","ScriptPath":"-","ProfilePath":"-","UserWorkstations":"-","PasswordLastSet":"07.09.2016 11:12:39","AccountExpires":"-","PrimaryGroupId":"-","AllowedToDelegateTo":"-","OldUacValue":"-","NewUacValue":"-","UserAccountControl":"-","UserParameters":"-","SidHistory":"-","LogonHours":"-"}}

We tried to use conditionalmap:

conditionalmap[0].mappings[84].event.flexString1=SamAccountName

conditionalmap[0].mappings[84].event.flexString2=DisplayName

conditionalmap[0].mappings[84].event.deviceCustomString1=UserPrincipalName

conditionalmap[0].mappings[84].event.deviceCustomString2=HomeDirectory

conditionalmap[0].mappings[84].event.deviceCustomString3=HomePath

conditionalmap[0].mappings[84].event.deviceCustomString4=ScriptPath

conditionalmap[0].mappings[84].event.deviceCustomString5=ProfilePath

conditionalmap[0].mappings[84].event.deviceCustomString6=PasswordLastSet

conditionalmap[0].mappings[90].event.flexString1=SamAccountName

conditionalmap[0].mappings[90].event.flexString2=DisplayName

conditionalmap[0].mappings[90].event.deviceCustomString1=UserPrincipalName

conditionalmap[0].mappings[90].event.deviceCustomString2=HomeDirectory

conditionalmap[0].mappings[90].event.deviceCustomString3=HomePath

conditionalmap[0].mappings[90].event.deviceCustomString4=ScriptPath

conditionalmap[0].mappings[90].event.deviceCustomString5=ProfilePath

conditionalmap[0].mappings[90].event.deviceCustomString6=PasswordLastSet

We also tried to use a json parser with name microsoft_windows_security_auditing.eventdata.jsonparser.properties, but the connector does not see it.

event.deviceVendor=__getVendor("Microsoft")

trigger.node.location=/EventData

token.count=3

token[0].name=mSamAccountName

token[0].location=SamAccountName

token[0].type=String

token[1].name=mDisplayName

token[1].location=DisplayName

token[1].type=String

token[2].name=mUserPrincipalName

token[2].location=UserPrincipalName

token[2].type=String

event.flexString1=mSamAccountName

event.flexString2=mDisplayName

event.deviceCustomNumber1=mUserPrincipalName

Have any ideas about this?

Labels (3)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Alexander,

It is easier than that.

Compare to WUC, WiNC parse all fields, they are just not visible all by default.

You have just to write that:

(If I do not make mistake, you have to replace [92] (Windows Server 2012R2) by [90] if you collect events from Windows Server 2008R2)

#conditionalmap[0].mappings[92].event.flexString1=SamAccountName

#conditionalmap[0].mappings[92].event.fmexString2=DisplayName

#conditionalmap[0].mappings[92].event.deviceCustomString1=UserPrincipalName

#conditionalmap[0].mappings[92].event.deviceCustomString2=HomeDirectory

#conditionalmap[0].mappings[92].event.deviceCustomString3=HomePath

#conditionalmap[0].mappings[92].event.deviceCustomString4=ScriptPath

#conditionalmap[0].mappings[92].event.deviceCustomString5=ProfilePath

#conditionalmap[0].mappings[92].event.deviceCustomString6=PasswordLastSet

into this file:

microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties

located here:(create it if necessary)

$ARCSIGHT_HOME\current\user\agent\fcp\winc\security\

If you have any question ,do not hesitate to ask me.

Thanks

Regards

Michael

0 Likes
9 Replies
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Alexander,

It is easier than that.

Compare to WUC, WiNC parse all fields, they are just not visible all by default.

You have just to write that:

(If I do not make mistake, you have to replace [92] (Windows Server 2012R2) by [90] if you collect events from Windows Server 2008R2)

#conditionalmap[0].mappings[92].event.flexString1=SamAccountName

#conditionalmap[0].mappings[92].event.fmexString2=DisplayName

#conditionalmap[0].mappings[92].event.deviceCustomString1=UserPrincipalName

#conditionalmap[0].mappings[92].event.deviceCustomString2=HomeDirectory

#conditionalmap[0].mappings[92].event.deviceCustomString3=HomePath

#conditionalmap[0].mappings[92].event.deviceCustomString4=ScriptPath

#conditionalmap[0].mappings[92].event.deviceCustomString5=ProfilePath

#conditionalmap[0].mappings[92].event.deviceCustomString6=PasswordLastSet

into this file:

microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties

located here:(create it if necessary)

$ARCSIGHT_HOME\current\user\agent\fcp\winc\security\

If you have any question ,do not hesitate to ask me.

Thanks

Regards

Michael

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Alexander,

I have forgotten, you have to replace deviceCustomString2 by another field because it is already used with this event ID 4738.

There is the following information inside that field: "

PS: Do not forget that you will find most of the time "-" in these new arcsight fields populated because these attributes are only visible when they have changed!

Thanks

Regards

Michael

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Alexander,

Last point, I would use this following line to get the last attribute:

conditionalmap[0].mappings[92].event.deviceCustomDate1=PasswordLastSet

It will easier to use in rule if this field is recognised as a timestamp. If it is not working like that, you have to use Flex timestamp function but try first without using them.

PS: I have forget to remove the char "#" in front of the line to write in the parser override.

Thanks

Regards

Michael

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Alexander,

Is-it working with the information provided in my above comment?

Thanks

Regards

Michael

0 Likes
nastroenie51 Absent Member.
Absent Member.

Re: Override Parser WINC

Jump to solution

Hi, Michael,

Thank you for the recommendation. It works.

Regards,

Alexander

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Override Parser WINC

Jump to solution

Hey Michael,

Thanks for providing that information.  I have been looking for this for quite a while.  It also worked for me.  One quick question though, the custom fields don't have a label.  Is there a way to apply the label from the map file?

Thanks,

Andrew

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Andrew,

It depends of which map files you talk about, do not forget there are 3 types.

For custom map files like map.0.properties, map.1.properties, etc...

=> Only when they are parsed and properly assigned to an ArcSight field, because into the map file, you may just use ArcSight field or real data.

For map files (Additional Data Names),

=> you could do it,  but also the information need to be parsed by the connector and these windows fields were not parsed by default.

!!! Do not forget that for WiNC, this feature does not work, only for WUC and other connector types. !!!

I hope I have answered to your question.

Thanks

Kind Regards

Michael

0 Likes
Outstanding Contributor.. andrew.dalbor Outstanding Contributor..
Outstanding Contributor..

Re: Override Parser WINC

Jump to solution

I was specifically referring to the above map file.  Was hoping to be able to apply a label to the custom fields using the __stringConstant function.

Thanks!

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Override Parser WINC

Jump to solution

Hi Andrew,

Yes for sure, you can do that but into the properties file - microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties- you have already updated.

You have just to add a line with what you want to do.

Try and tell me if it is working but for me, it should work.

PS: Do not forget to remove the last line that check the parser, after or before restarting the connector #prop.sign....

Thanks

Kind Regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.