Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..
506 views

Parser Override for event 4673 - WinC

Jump to solution

Hello,

I'm facing some issues getting more information from event 4673 particularly the highlighted part.

Could someone please advise which mapping numbers would be for this.

 

Thank you.

 

 

{{"System":{"EventId":"4673","Version":"0","Channel":"Security","ProviderName":"Microsoft-Windows-Security-Auditing","Computer":"ABC","EventRecordID":"53734268","Keywords":"Audit Success","Level":"Log Always","Opcode":"Info","Task":"Sensitive Privilege Use","ProcessID":"624","ThreadID":"632","TimeCreated":"1573060907081","UserId":""},"EventData":{"SubjectUserSid":"NT AUTHORITY\\\\SYSTEM","SubjectUserName":"ABC$","SubjectDomainName":"XYZ","SubjectLogonId":"0x3e7","ObjectServer":"NT Local Security Authority / Authentication Service","Service":"LsaRegisterLogonProcess()","PrivilegeList":"SeTcbPrivilege","ProcessId":"0x270","ProcessName":"C:\\Windows\\System32\\lsass.exe"}}

Labels (1)
1 Solution

Accepted Solutions
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Dear Mikado90,

 

The answer will depend of the OS version you are using but you have just to create a small parser Override .properties file to be placed in $ARCSIGHT_HOME/current/user/agent/fcp/winc/security/

fileName:   microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties

With the following info (42 is used for OS version 2012R2, 41 is used for OS version 2008R2):

conditionalmap[0].mappings[42].event.<mapping6>=Service
conditionalmap[0].mappings[42].event.<mapping7>=PrivilegeList
conditionalmap[0].mappings[42].event.<mapping9>=ProcessName

You replace <mapping6> by an ArcSight Field of the same format type not already used.
By example, you could choose destinationServiceNamlike this:

conditionalmap[0].mappings[42].event.destinationServiceName=Service

Then, you have to restart the SmartConnector Windows Service (WiNC)

If in your environment, it is not 2008R2 neither 2012R2 then I advice you to ask to ArcSight Support the decoded version of the connector parser or directly ask them which mapping number it is for Event ID 4673.

I advice you to try with this because it does not change often, only if new useful eventID are parsed for the first time.

If you respect the config above, it should work perfectly as I use this solution for a lots of different Event ID.
If you met any issue or if you need more info, do not hesitate to contact me.

Thanks
Kind Regards

Michael Schleich

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

14 Replies
Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..

Re: Parser Override for event 4673 - WinC

Jump to solution
Hello

Anyone knows the answer?
0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Dear Mikado90,

 

The answer will depend of the OS version you are using but you have just to create a small parser Override .properties file to be placed in $ARCSIGHT_HOME/current/user/agent/fcp/winc/security/

fileName:   microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties

With the following info (42 is used for OS version 2012R2, 41 is used for OS version 2008R2):

conditionalmap[0].mappings[42].event.<mapping6>=Service
conditionalmap[0].mappings[42].event.<mapping7>=PrivilegeList
conditionalmap[0].mappings[42].event.<mapping9>=ProcessName

You replace <mapping6> by an ArcSight Field of the same format type not already used.
By example, you could choose destinationServiceNamlike this:

conditionalmap[0].mappings[42].event.destinationServiceName=Service

Then, you have to restart the SmartConnector Windows Service (WiNC)

If in your environment, it is not 2008R2 neither 2012R2 then I advice you to ask to ArcSight Support the decoded version of the connector parser or directly ask them which mapping number it is for Event ID 4673.

I advice you to try with this because it does not change often, only if new useful eventID are parsed for the first time.

If you respect the config above, it should work perfectly as I use this solution for a lots of different Event ID.
If you met any issue or if you need more info, do not hesitate to contact me.

Thanks
Kind Regards

Michael Schleich

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.

Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..

Re: Parser Override for event 4673 - WinC

Jump to solution

Thank you Michael. It doesn't work. I placed the file in the exact same path on my Windows machine (2012R2). Could it be that the mapping number is not 42?

The content of the file is:

conditionalmap[0].mappings[42].event.flexString1=Service
conditionalmap[0].mappings[42].event.flexString2=PrivilegeList
conditionalmap[0].mappings[42].event.destinationProcessId=ProcessName

 

And I see no complaints from agent.log

[INFO ][default.com.arcsight.agent.loadable.mq._WindowsEventMessageProcessor][getParser] Successfully loaded parser for parser key [winc\security\microsoft_windows_security_auditing] from parser file [winc\security\microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties]

mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Hi Mikado90,

 

The first issue I can see is the field destinationProcessId,  you cannot use it I don't think this field is available for this.

Did you have restarted the connector?
What do you see in ESM? Fields are empty?
Could you please send me a rawEvent and the parsed event because it is possible that some of those fields are really empty, this happens.

If you use 2012R2, 42 is correct. (I am talking about the device host OS - logs source)
You can try with 41 but if it does not work comes back to 42, the problem is something else.

Could you please try with something else than destinationProcessId just to test but verify if the format is string or integer because it won't work and you will see an error in agent.log?

Do you see ERRORS in agent.log of the WiNC Connector this will help you to troubleshoot?
Believe-me it is working fine, it just that you make a mistake somewhere and we will find it for sure.

Thanks
Regards

Michael

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Hi Mikado90,

 

I don't see any issue in your first 2 lines thus try with those ones first then we will see.

But you have to put this on the WiNC SmartConnector Host and the OS version info is not from this host but form the logs sources or the source devices.

If it is an older or a new version, it is possible that the number is not correct.
Only ArcSight Support is able to give you the right number of you try with 41 or 43.

It is increased by one each time a new Microsoft Event is generated before the event ID 4673.
I don't think the number has changed for 2016 but I am not totally sure. It is only for 2008 that the number is 41.

Try with the first 2 lines then restart the connector. Do not forget to remove the signature at the end of file, it is to confirm that the change is valid.

If not, you will receive Override/Mismatch Agent errors in ESM (agent:049)

Thanks
Regards

Michael

0 Likes
Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..

Re: Parser Override for event 4673 - WinC

Jump to solution

Hi Michael,

1/ I can confirm that the parser file was placed on the WinC connector. I tried with 41 and 43 on 2 fields FlexString1 and FlexString2 and then restarted the connector after. It didn't work either. Tried the same with 42, same outcome. My source host is Wins 2012R2 and connector is installed on a collector host with the same Wins version.

2/ I don't see any particular ERROR messages in the agent.log related to the parser. And same  with agent:049, I don't see it either. Just the following:

[WARN ][default.com.arcsight.agent.sdk.b.a.l][getTokenDescriptors] No token descriptors found
[WARN ][default.com.arcsight.agent.parsers.operation.regexTokenOperation][getResult] No match
between string [Microsoft-Windows-Security-Auditing] and regex [(MSSQL|SQLISPackage).*]
[WARN ][default.com.arcsight.agent.sdk.b.a.l][getTokenDescriptors] No token descriptors found
[WARN ][default.com.arcsight.event.SecurityEvent][setModelConfidence] Number of bad threat lev
el values received and corrected = 60
[WARN ][default.com.arcsight.agent.parsers.operation.regexTokenOperation][getResult] No match
between string [Service Control Manager] and regex [(MSSQL|SQLISPackage).*]
[WARN ][default.com.arcsight.agent.sdk.b.a.l][getTokenDescriptors] No token descriptors found
[WARN ][default.com.arcsight.agent.cs.d][lookupAllByName] Cannot find information for [-]
[WARN ][default.com.arcsight.event.SecurityEvent][setModelConfidence] Number of bad threat lev
el values received and corrected = 30
[WARN ][default.com.arcsight.agent.parsers.operation.regexTokenOperation][getResult] No match
between string [Microsoft-Windows-Security-SPP] and regex [(MSSQL|SQLISPackage).*]
[WARN ][default.com.arcsight.agent.loadable.mq._WindowsEventMessageProcessor][getParser] Canno
t load parser for parser key [winc\application\microsoft_windows_security_spp] from parser file [winc\application\micro
soft_windows_security_spp.sdkkeyvaluefilereader.properties]
[WARN ][default.com.arcsight.common.a.b][processSingleAlert] Unable to find categorization fil
e [microsoft\system_or_application_event.csv]
[WARN ][default.com.arcsight.agent.cs.d][lookupAllByName] Cannot find information for [-]
[WARN ][default.com.arcsight.event.SecurityEvent][setModelConfidence] Number of bad threat lev
el values received and corrected = 30
[WARN ][default.com.arcsight.agent.parsers.operation.regexTokenOperation][getResult] No match
between string [Microsoft-Windows-Kernel-General] and regex [(MSSQL|SQLISPackage).*]
[WARN ][default.com.arcsight.agent.loadable.mq._WindowsEventMessageProcessor][getParser] Canno
t load parser for parser key [winc\system\microsoft_windows_kernel_general] from parser file [winc\system\microsoft_win
dows_kernel_general.sdkkeyvaluefilereader.properties]

 

3/ The raw events coming in are in consistent format

 

{"System":{"EventId":"4673","Version":"0","Channel":"Security","ProviderName":"Microsoft-Windows-Security-Auditing","Computer":"XXXX","EventRecordID":"54003218","Keywords":"Audit Success","Level":"Log Always","Opcode":"Info","Task":"Sensitive Privilege Use","ProcessID":"624","ThreadID":"632","TimeCreated":"1573487889742","UserId":""},"EventData":{"SubjectUserSid":"NT AUTHORITY\\\\SYSTEM","SubjectUserName":"XXX$","SubjectDomainName":"XXXX","SubjectLogonId":"0x3e7","ObjectServer":"NT Local Security Authority / Authentication Service","Service":"LsaRegisterLogonProcess()","PrivilegeList":"SeTcbPrivilege","ProcessId":"0x270","ProcessName":"C:\\Windows\\System32\\lsass.exe"}}

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Hi Mikado90,

 

It is not possible that it does not work (I have succeeded it cf. below).

To be sure, you have tried to keep only the 2 fields to saved into flexString1 and flexString2 without the third one and it does not.


Could you please tell me what you have seen, ArcSight fields empty?

Could you please try this one just to verify something?

As you confirm that it is 2012R2, it means that the ID 42 is correct thus we will see if this is working:

conditionalmap[0].mappings[42].event.deviceCustomString3Label=__stringConstant("Service")

Could you please confirm that for the new 4673 after you have made the changes, you can read Device Custom String3.Service in the Name column of ArcSight fields?

Could you please confirm that the file you have created is .properties and NOT *.properties.txt (you have unhide known extensions)?
Could you please confirm that the .properties file is located here:

$ARCSIGHT_HOME/current/user/agent/fcp/winc/security/

Could you please show me an screenshot of the result after you have verified those above points because something is strange?

I have tried to do it by myself with ID 42 and it is working but I have chosen other fields which are empty for this Event ID 4673
This is exactly what I have put and it is working. Added into the .properties file

## Parser override for eventID 4673
## Provided by Michael Schleich on 11 Nov 2019
##
conditionalmap[0].mappings[42].event.deviceCustomString3Label=__stringConstant("Service")
conditionalmap[0].mappings[42].event.deviceCustomString3=Service
conditionalmap[0].mappings[42].event.deviceCustomString4Label=__stringConstant("PrivilegeList")
conditionalmap[0].mappings[42].event.deviceCustomString4=PrivilegeList
conditionalmap[0].mappings[42].event.destinationProcessName=ProcessName

There is the prove it is working properly:

4673.PNG

 

If it is not working on your side, you have made a mistake somewhere or the OS is not 2012R2.

Thanks
Kind Regards

Michael

0 Likes
Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..

Re: Parser Override for event 4673 - WinC

Jump to solution

Hi Michael,

 

I found the issue. It's like you mentioned. The parser had .txt at the end which I thought I already fixed. After removing that, it started working. Thank you so much for your relentless support 🙂

 

 

0 Likes
jklein Valued Contributor.
Valued Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Excellent info on writing these WINC parser overrides.

I know you've already got this fixed, but I wanted to recommend trying loading the latest WINC parser from ArcSight.

I was looking for the service name on 4673 a while back and had the same problem as you, but noticed that the field was parsed after installing a recent parser.  I think it was the one from June (7.12.2.8163.0), which also contains PowerShell parsers (script block logging/etc.).

DCS1.PNG

0 Likes
Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..

Re: Parser Override for event 4673 - WinC

Jump to solution

Thanks jklein. In terms of that parser update installation, is there anything specific I need to be aware of? Or is it just a normal installation?

0 Likes
jklein Valued Contributor.
Valued Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

It's just the standard connector update process, but in case you haven't done it before, here are the steps to manually update:

Download the framework package from Microfocus support & services (latest is 7.13.0), then get the latest 7.13 parser from the marketplace:  https://marketplace.microfocus.com/arcsight/content/smartconnectors-1

Stop the connector service, run the framework installation and point it to the same install location as your existing connector.  After that, next, next, next...  It'll then ask you if you want to make changes to your connector settings, which is not necessary.

Then, apply the updated parser -
Open a command prompt and CD to your connector bin directory.  Execute the following:

arcsight parseraupupgradelocal "<PATH THE AUP LIVES IN>\ArcSight-7.13.2.8187.0-ConnectorParsers.aup" false

The install process will keep all of your parser overrides, so if you want to test to see if the new parser will parse 4673 events, remove the parser override you created and restart the connector.

Valued Contributor.. Mikado90 Valued Contributor..
Valued Contributor..

Re: Parser Override for event 4673 - WinC

Jump to solution

I followed the steps but the events are still not parsed. Check agent.log for the parser version. It's the same version you mentioned...

jklein Valued Contributor.
Valued Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Shoot I'm sorry, you're right - Looking at the connector, I completely forgot that I wrote a mappings file that was added during a connector update early this year.  

So, you can write parser overrides, but you can also create mappings files to parse fields.  Either way will work, just depends on what you need to parse. 

Create this file/folder path:  <ArcSight Home>\user\agent\aup\<connector ID>\fcp\custommappings\Microsoft\Microsoft_Windows\ngmappings.adatamappings.properties

Just add the unused ArcSight field = name of the field you want to parse (in this case, ProcessName and Service).

Here are the contents of my file:

# Event ID 4673
event.deviceCustomString1=ProcessName
event.deviceCustomString1Label=__stringConstant("Process Name")
event.deviceCustomString3=Service
event.deviceCustomString3Label=__stringConstant("Service")

 

You can do this with many events.  You can get a listing of unmapped fields by right clicking the connector in the console, select: Send Command\Mapping\Get Additional Data Names.  This will give you a listing of all unmapped fields that you can map using the process described.  Or, just try taking the field name from the raw event.

You can also map these unmapped fields from within the console, but I prefer to do it manually.

Sorry for the extra legwork on the connector update!  

mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Parser Override for event 4673 - WinC

Jump to solution

Hi,

 

Do not forget that if you choose the mapping additional data ArcSight Console feature, you have to do it per destination.

Which means that if you send logs to ESM and Loggers, you have to do it 2 times.

For ESM as explained by Jklein but also for Loggers Destination where you will find the ID in the folder or in agent.properties.

 

Personally, I prefer to use PO  but there are multiple solution to achieve the same purpose.

Thanks
Regards

Michael

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.