Highlighted
pacote Trusted Contributor.
Trusted Contributor.
1005 views

Please create or update the file security.keymap.csv with the appropriate keys for the event.

Hello,

The example in the documentation appears to be outdated and I spent some time trying to work through how to get the keymap take.

Here's the error message I started with:

[2017-06-15 18:56:55,635][WARN ][default.com.arcsight.agent.au.w][getKeyValuePairs] Found [4] keys to be missing for an event with Event ID = [4688], Event Log Type = [Security], Event Source = [Microsoft-Windows-Security-Auditing], for Microsoft Windows keymap family = [Windows 2012 R2]. Please create or update the file [windowsfg/windows_2012/security.keymap.csv] with the appropriate keys for the event.

Notice this is specifically for R2...

I ran a cef destination with Raw Events enabled to get the key value pairs.  The documentation says:

Example entries would be as follows:
"528","Successful Logon","User Name","Domain","Logon ID","Logon Type","Logon Process","Authentication Package","Workstation Name","Logon GUID","Caller User Name","Caller Domain","Caller Logon ID","Caller Process ID","Transited Services","Source Network Address","Source Port"
"528","Successful Logon","User Name","Domain","Logon ID","Logon Type","Logon Process","Authentication Package","Workstation Name","Logon GUID","Caller User Name","Caller Domain","Caller Logon ID","Caller Process ID","Transited Services","Source Network Address", "Source Port","Message:A logon attempt was successful"

I found quoting every key didn't work.  Also, since this is Windows 2012 R2, the keymap file needed to be named security.keymap.r2.csv - still went in /current/user/agent/fcp/windowsf/windows_2012/.  The one for 2012 base build would just be security.keymap.csv, in the same directory.

Here is the finished product that addressed the error completely - it was the last four that were missing, I think, but you have to add all the keys from the event:

4688,"A new process has been created.",Subject: Account Name,Subject: Account Domain,Subject: Logon ID, Process Information: New Process ID,Process Information: New Process Name,Process Information: Token Evaluation Type,Process Information: Created process ID,Message,Key[0],Key[9],Key[10],Key[11],Key[12]

Here's the raw cef event - I reformatted it a bit so that the keys involved in the error are readable, and in bold.  They are order dependant so list them in the csv as they occur in the raw event.

CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:4688|Security ID|Low| eventId=4334 externalId=4688 msg=0x1fe0 rawEvent=
EventlogType\=Security&&
EventIndex\=37691327&&
WindowsVersion\=Windows Server 2012 R2&&
WindowsKeyMapFamily\=Windows 2012 R2&&
WindowsParserFamily\=Windows 2012 R2|2012|8&&
DetectTime\=2017-6-15 18:1:18&&
EventSource\=Microsoft-Windows-Security-Auditing&&
EventID\=4688&&
EventType\=Audit_success&&
EventCategory\=13312&&
User\=null&&
ComputerName\=MY.HOST.NAME&&
Description\=Security ID&&
Message\=&&
Subject: Account Name\=S-1-5-18&&
Subject: Account Domain\=MYDOMAIN$&&
Subject: Logon ID\=MYUID&&
Process Information: New Process ID\=0x3e7&&
Process Information: New Process Name\=0x13c8&&
Process Information: Token Evaluation Type\=C:\\Windows\\System32\\conhost.exe&&
Process Information: Created Process ID\=TokenElevationTypeDefault (1)&&
Message\=0x1fe0&&
Key[0]\=&&x
Key[9]\=S-1-0-0&&
Key[10]\=-&&
Key[11]\=-&&
Key[12]\=0x0
categorySignificance=/Informational categoryBehavior=/Execute/Start categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1497564990772 cat=Security deviceSeverity=Audit_success rt=1497564078000 dhost=MY.HOST.NAME cs2=Detailed Tracking:Process Creation cs1Label=Accesses cs2Label=EventlogCategory cs3Label=New Process ID cs4Label=Process Command Line cs5Label=Creator Process ID cs6Label=Process Information:Token Elevation Type cn1Label=LogonType cn2Label=CrashOnAuditFail cn3Label=Count ahost=mysmartconnectorhost agt=127.0.0.1 agentZoneURI=/All Zones/ArcSight System/Public Address Space Zones/ARIN/127.0.0.0-127.255.255.255 (ARIN) amac=00-00-00-00-00-00 av=7.5.0.7983.0 atz=America/A State at=windowsfg dvchost=MY.HOST.NAME dtz=America/A State _cefVer=0.1 ad.Key[12]=0x0 ad.Process_,InforxUdkVA_~_~ted_,Process_,ID=TokenElevationTypeDefault (1) ad.Key[11]=- ad.Key[10]=- ad.WindowsParserFamily=Windows 2012 R2|2012|8 ad.Key[9]=S-1-0-0 ad.WindowsKeyMapFamily=Windows 2012 R2 ad.Process_,InfornbN1ow_~_~w_,Process_,Name=0x13c8 ad.Subject:_,Account_,Name=S-1-5-18 ad.Key[0]= ad.Process_,Information:_,New_,Process_,ID=0x3e7 ad.Process_,Infor1ma6oQ_~_~valuation_,Type=C:\\Windows\\System32\\conhost.exe ad.Subject:_,Logon_,ID=MYUID ad.WindowsVersion=Windows Server 2012 R2 ad.Subject:_,Account_,Domain=MYDOMAIN$ ad.EventIndex=37691327 aid=3P2B+rVwBABCAD2wwoqXf3Q\=\=

pacote

Labels (2)
0 Likes
2 Replies
pacote Trusted Contributor.
Trusted Contributor.

Re: Please create or update the file security.keymap.csv...

Ehh.. this wasn't supposed to go in Questions.

0 Likes
Outstanding Contributor.. douglas.baker@h1 Outstanding Contributor..
Outstanding Contributor..

Re: Please create or update the file security.keymap.csv...

Sorry if I am making just a bit of a 'nit pick' but the section;

"/current/user/agent/fcp/windowsf/windows_2012/"

should probably reflect 'windowsfg' and instead be;

"/current/user/agent/fcp/windowsfg/windows_2012/"

for the securit.keymap.csv and security.keymap.r2.csv

Yes? No?

Thanks for the solution.

Doug

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.