This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
rmroczk
Cadet 3rd Class Cadet 3rd Class
Cadet 3rd Class
‎2017-04-04 18:46
1236 views

Parser override for WINC connector

Jump to solution

Hi,

We have a problem augmenting event 4688 (A new process has been created) for the WINC connector.

Raw Event : {"System":{"EventId":"4688","Version":"1","Channel":"Security","ProviderName":"Microsoft-Windows-Security-Auditing","Computer":"abc.computer.net","EventRecordID":"4304053","Keywords":"Audit Success","Level":"Log Always","Opcode":"Info","Task":"Process Creation","ProcessID":"4","ThreadID":"104","TimeCreated":"1490370004076","UserId":""},"EventData":{"SubjectUserSid":"domain\\\\user","SubjectUserName":"user","SubjectDomainName":"domain","SubjectLogonId":"0x2ebffb","NewProcessId":"0x3d04","NewProcessName":"C:\\cygwin64\\bin\\bash.exe","TokenElevationType":"TokenElevationTypeDefault (1)","ProcessId":"0x3f08","CommandLine":"\"C:\\cygwin64\\bin\\bash.exe\""}}

We tried to use conditionalmap by creating the file $ARCSIGHT_HOME/current/user/agent/fcp/winc/security/microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties with this:

conditionalmap[0].mappings[90].event.filePath=__regexToken(NewProcessName,"^(.*)/.*")

conditionalmap[0].mappings[90].event.targetProcessName=__regexToken(NewProcessName,".*/([^/]+)$")

Apparently mapping 90 is not the correct value for augmenting this event.  Have any ideas about this?

Labels (2)
Tags (2)
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
wsladek1
Vice Admiral
Vice Admiral
‎2017-04-04 19:59

Jump to solution

Have you tried using map files instead?  And you're just looking to break out the binary vs the full path, correct?

I tested the following on WUC (don't have WINC yet) but I think this should work regardless of connector type:

$CONNECTOR_HOME/current/user/agent/map

map.0.properties:

set.expr(targetProcessName).event.filePath

"__regexToken(targetProcessName,""^(.*)\\.*"")"

map.1.properties:

set.expr(targetProcessName).event.fileName

"__regexToken(targetProcessName,"".*\\([^\\]+)$"")"

View solution in original post

0 Likes
Reply
Report Inappropriate Content
2 Replies
wsladek1
Vice Admiral
Vice Admiral
‎2017-04-04 19:59

Jump to solution

Have you tried using map files instead?  And you're just looking to break out the binary vs the full path, correct?

I tested the following on WUC (don't have WINC yet) but I think this should work regardless of connector type:

$CONNECTOR_HOME/current/user/agent/map

map.0.properties:

set.expr(targetProcessName).event.filePath

"__regexToken(targetProcessName,""^(.*)\\.*"")"

map.1.properties:

set.expr(targetProcessName).event.fileName

"__regexToken(targetProcessName,"".*\\([^\\]+)$"")"

View solution in original post

0 Likes
Reply
Report Inappropriate Content
rmroczk
Cadet 3rd Class Cadet 3rd Class
Cadet 3rd Class
‎2017-04-05 15:03

Jump to solution

Thanks.  That worked!

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.