ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Commodore Commodore
Commodore
354 views

WINC enhance parsing

Hello,

I'd like to parse the field "TicketEncryptionType" of Event ID 4768 because the Windows Native Connector don't parse it.

But I'm new to ArcSight and I don't know how to enhance the default parsing of a SmartConnector.

Here is the raw event :

{

"System":{

    "EventId":"4768",

    "Version":"0",

    "Channel":"Security",

    "ProviderName":"Microsoft-Windows-Security-Auditing",

    "Computer":"DC.example.net","EventRecordID":"75974659",

    "Keywords":"Audit Success",

    "Level":"Log Always",

    "Opcode":"Info",

    "Task":"Kerberos Authentication Service",

    "ProcessID":"500",

    "ThreadID":"1404",

    "TimeCreated":"1447776812190",

    "UserId":""},

"EventData":{"TargetUserName":"Administrator",

    "TargetDomainName":"example.net",

    "TargetSid":"EXAMPLE\\\\Administrator",

    "ServiceName":"krbtgt",

    "ServiceSid":"EXAMPLE\\\\krbtgt",

    "TicketOptions":"0x40810010",

    "Status":"0x0",

    "TicketEncryptionType":"0x12",

    "PreAuthType":"2",

    "IpAddress":"::ffff:10.10.10.10",

    "IpPort":"51622",

    "CertIssuerName":"",

    "CertSerialNumber":"",

    "CertThumbprint":""}

}

I have read about "Map Additional Data Name" but it does not work in my case because the field "TicketEncryptionType" is not seen.

Connector--> Get Additional Data Names:

Vendor/product [Microsoft\Microsoft_Windows]:

    EventRecordID [920 times]

    Opcode [920 times]

    ProcessID [920 times]

    ThreadID [920 times]

    Version [920 times]

I have read about .sdkkeyvaluefilereader.properties file with conditionalmap but I don't understand how to make it and I don't understand where I must put this file.

Can someone explain me all of this ?

Thank you.

[EDIT] The Logger well parsed this event with a strange field: as.Additional_,InagWMqg_~_~ncryption_,Type

If I forward the event from Logger to ESM, I can use "Map Additional Data Name" to get "TicketEncryptionType".

Labels (3)
0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.