Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
dengelhardt
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-11-22 14:26
898 views

WINC Status and SubStatus

Jump to solution

Hi,

I have a Use Case looking at the Status and the SubStatus field in Windows Events (4625 and 4776). Now WINC does not have these codes mapped it seems. Actually the guide claims that SubStatus for 4625 is mapped to Device Custom String 1, but there I can e.g. see "User logon with misspelled or bad password" while the RAW EVENT says "SubStatus":"0xc000006a". So this might be a mapping somehow. But I njeed the code, no text.

Anyways, I tried to map Status and SubStatus using additional data mapping. However that does only work for Status, as SubStatus has not been seen.

Any idea how I can map the SubStatus? A parser overwrite would be another alternative but since MicroFocus decided to never hand out any original parsers, that feature has been made obsolete and useless.

0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
Richie D
Vice Admiral Vice Admiral
Vice Admiral
‎2018-11-23 09:38

Jump to solution

As you have pointed out in your original post, you can map the field:

Create the mapping file:

<connectorroot>\current\user\agent\fcp\winc\security\microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties 

and include the following text:

conditionalmap[0].mappings[12].event.deviceCustomString6=SubStatus
conditionalmap[0].mappings[12].event.deviceCustomString6Label=__stringConstant("Sub Status")

The above maps to deviceCustomString6

 

View solution in original post

Reply
Report Inappropriate Content
7 Replies
mr_ergene
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-11-22 16:42

Jump to solution

Hi @dengelhardt ,

In my test environment, the Substatus is deviceCustomString4. If you enabled the aggregation on the connector, check the fields and add deviceCustomString4 if it's not there. Or disable aggregation for a while to see if the field is populated.

 

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Reply
Report Inappropriate Content
dengelhardt
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-11-26 10:13

Jump to solution

Hi,

sadly DC4 includes the STATUS code for 4776 only.

DC1 does have the SUBSTATUS but as TEXT for 4625.

0 Likes
Reply
Report Inappropriate Content
Richie D
Vice Admiral Vice Admiral
Vice Admiral
‎2018-11-23 09:38

Jump to solution

As you have pointed out in your original post, you can map the field:

Create the mapping file:

<connectorroot>\current\user\agent\fcp\winc\security\microsoft_windows_security_auditing.sdkkeyvaluefilereader.properties 

and include the following text:

conditionalmap[0].mappings[12].event.deviceCustomString6=SubStatus
conditionalmap[0].mappings[12].event.deviceCustomString6Label=__stringConstant("Sub Status")

The above maps to deviceCustomString6

 

View solution in original post

Reply
Report Inappropriate Content
dengelhardt
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-11-26 10:37

Jump to solution

Hi,

the parser overwrite is working. I am using this as overwrite now:

conditionalmap[0].mappings[12].event.flexString1=Status
conditionalmap[0].mappings[12].event.flexString1Label=__stringConstant("Status")

conditionalmap[0].mappings[12].event.flexString2=SubStatus
conditionalmap[0].mappings[12].event.flexString2Label=__stringConstant("Sub Status")

conditionalmap[0].mappings[12].event.flexNumber1=KeyLength
conditionalmap[0].mappings[12].event.flexNumber1Label=__stringConstant("Key Length")

 Let´s hope they do not change the parser so that I accidently overwrite something with that...

David

0 Likes
Reply
Report Inappropriate Content
dengelhardt
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-11-26 11:09

Jump to solution

Do you happen to know how I can do the same overwrite for 4776?

0 Likes
Reply
Report Inappropriate Content
muratekren
Commodore
Commodore
‎2018-11-23 12:06

Jump to solution

0xc000006a is mapped to that text in the buildin parser.

if you need the code in your logs you can re-map that to that code , just put a map.0.properties or edit a current one in your connectors /current/user/agent/map folder with the entries below . 

event.externalId,event.deviceCustomString1,set.event.deviceCustomString1

4625,"User logon with misspelled or bad password",0xc000006

Or If you need that code to correlate with a field from another event,  just use a pre-persistence rule and set that event field to the original code ? 

0 Likes
Reply
Report Inappropriate Content
dengelhardt
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2018-11-26 10:07

Jump to solution

Hi,

 

nice idea, but some texts are duplicates for different codes! Which is why it is irreversible. I´d need the ORIGINAL code sadly.

 

Regards,

David

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.