Highlighted
New Member..
New Member..
1142 views

Parser override for WINC connector

Jump to solution

Hi,

We have a problem augmenting event 4688 (A new process has been created) for the WINC connector.

Raw Event : {"System":{"EventId":"4688","Version":"1","Channel":"Security","ProviderName":"Microsoft-Windows-Security-Auditing","Computer":"abc.computer.net","EventRecordID":"4304053","Keywords":"Audit Success","Level":"Log Always","Opcode":"Info","Task":"Process Creation","ProcessID":"4","ThreadID":"104","TimeCreated":"1490370004076","UserId":""},"EventData":{"SubjectUserSid":"domain\\\\user","SubjectUserName":"user","SubjectDomainName":"domain","SubjectLogonId":"0x2ebffb","NewProcessId":"0x3d04","NewProcessName":"C:\\cygwin64\\bin\\bash.exe","TokenElevationType":"TokenElevationTypeDefault (1)","ProcessId":"0x3f08","CommandLine":"\"C:\\cygwin64\\bin\\bash.exe\""}}

We tried to use conditionalmap by creating the file $ARCSIGHT_HOME/current/user/agent/fcp/winc/security/microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties with this:

conditionalmap[0].mappings[90].event.filePath=__regexToken(NewProcessName,"^(.*)/.*")

conditionalmap[0].mappings[90].event.targetProcessName=__regexToken(NewProcessName,".*/([^/]+)$")

Apparently mapping 90 is not the correct value for augmenting this event.  Have any ideas about this?

Labels (2)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Honored Contributor.
Honored Contributor.

Have you tried using map files instead?  And you're just looking to break out the binary vs the full path, correct?

I tested the following on WUC (don't have WINC yet) but I think this should work regardless of connector type:

$CONNECTOR_HOME/current/user/agent/map

map.0.properties:

set.expr(targetProcessName).event.filePath

"__regexToken(targetProcessName,""^(.*)\\.*"")"

map.1.properties:

set.expr(targetProcessName).event.fileName

"__regexToken(targetProcessName,"".*\\([^\\]+)$"")"

View solution in original post

0 Likes
2 Replies
Highlighted
Honored Contributor.
Honored Contributor.

Have you tried using map files instead?  And you're just looking to break out the binary vs the full path, correct?

I tested the following on WUC (don't have WINC yet) but I think this should work regardless of connector type:

$CONNECTOR_HOME/current/user/agent/map

map.0.properties:

set.expr(targetProcessName).event.filePath

"__regexToken(targetProcessName,""^(.*)\\.*"")"

map.1.properties:

set.expr(targetProcessName).event.fileName

"__regexToken(targetProcessName,"".*\\([^\\]+)$"")"

View solution in original post

0 Likes
Highlighted
New Member..
New Member..

Thanks.  That worked!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.