Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Rashid470102 Absent Member.
Absent Member.
403 views

UUID Problem

I am facing problem in retrieving the UUID information for specific event. with event ID 4733

I am attaching both server whom I am getting the UUID (attacker and target information) and the other from which i am not getting.

along with their agent setup snapshots and event ID information from event viewer.

I have some finding.s

Server from not getting information:

he server is not a member of domain. Please see the snapshot(7.png)

***********************************************

Server from getting required information:

he server is a member of domain. Please see the snapshot(server getting required information\1.png)

Please advise to solve that problem.

Labels (1)
0 Likes
Reply
19 Replies
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: UUID Problem

Hi Rashid,

Did you see the UUID in the Additional fields ?

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

HI Balahasan,

The installed connector type is local. I update the parameters as mentioned in document

agents[0].enableadsguidtranslation=true

agents[0].activedirectoryserverhosts=AD hostname

but still not able to get the required information. furthermore what do you mean by additional fields(sorry I am new to arcsight so sometimes I miss the things.

Alternatively I install the unified connector on on of the server from where the information was missing. after installing and updating the "sidguidtranslationmultithreadad=enable" I can see the attacher and target username.

but the number of servers are very high. so any advise to sovle the problem by using local.

waiting for your kind advise.

lastly balahasan, How can I reach to fastly. b/c sometime the requested query severity is critical..

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: UUID Problem

Hi Rashid,

When u right click on the connector u will see the Get Additional Data Names. Which u can map it to the ArcSight CEF field and use it in correlation,.

And personally I haven't come across anything like this before.But as us can see the Security ID is captured in Additional field which u get parsed

Refer the attached guide on how to do Additional Data mapping (From Sahaya).

deeee.JPG

deeee1.JPG

Let me know if you face any issues with that. And Fast way to get response is contacting HP Support off course .

Cheers,

Balahasan

0 Likes
Reply
grace.chang Absent Member.
Absent Member.

Re: UUID Problem

Did Balahasan answer your question? If so, please marked as correct. Thanks!

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

HI

Below is the outcome of "Get Additional Data Names"

******************************************************

Additional Data Names Seen:

Vendor/product [Microsoft\Microsoft_Windows]:

  Account Domain [349 times]

  Account For Which Logon Failed [6 times]

  Account Whose Credentials Were Used [43 times]

  Additional Information [46 times]

  Application Information [111 times]

  Application Name [111 times]

  Caller Process Name [6 times]

  Detailed Authentication Information [111 times]

  Failure Information [6 times]

  Filter Information [111 times]

  Group [3 times]

  Group Domain [3 times]

  Group Name [3 times]

  Key Length [111 times]

  Key Length[0] [34 times]

  Layer Name [111 times]

  Layer Run-Time ID [111 times]

  Logon Account [6 times]

  Logon GUID [148 times]

  Member [3 times]

  Network Information [265 times]

  New Logon [105 times]

  Package Name (NTLM only) [111 times]

  Port [43 times]

  Process [22 times]

  Process Information [154 times]

  Process Name [170 times]

  Protocol [111 times]

  Service Request Information [22 times]

  Session ID

  Status [6 times]

  Sub Status [6 times]

  Subject [349 times]

  Target Server [43 times]

  Transited Services [111 times]

  name

******************************************************************

Outcome of agent.properties

attached snapshot[fig.1 and fig.2]

I think the user dummy is a normal user and he is not included in event log reader group

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

2.PNG

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: UUID Problem

Hi Rashid,

Try to capture Logon GUID and see if that is the field u r looking for. And also enable Raw events logging to see where or whether the UUID is captured in somewhere.

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

EventlogType=Security

&&DetectTime=2015-05-03 13:30:42

&&EventSource=Microsoft-Windows-Security-Auditing

&&EventID=4732

&&EventType=Audit_success

&&ventCategory=13826

&&User=

&&ComputerName=XXXXXXX
&&Description=A member was added to a security-enabled local group.

&&Subject=Security ID=S-1-5-21-1923297094-982788978-623648099-6763644

&&Account Name=sec9902

&&Account Domain=XXXXX

&&Logon ID=0x5ea80588

&&Member=Security ID=S-1-5-21-1923297094-982788978-623648099-6763644

&&AccountName=

&&Group=Security ID=S-1-5-32-545

&&Group Name=Users

&&Group Domain=Builtin&&Additional Information=Privileges=

***************************************************************************

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: UUID Problem

Hi Rashid,

Are u able to map it or not ?

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

Hi Balahasan,

Unfortunately not. below as you can see that I can see the Logon GUID. but how to move to next step i don't know. above I attach the raw event as well.

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: UUID Problem

Hi Rashid,

I have checked it again. And it is working fine for me. All u need to do. Identify which additional field contains the Security ID for that particular event ID. That's all. U just map it

Get Map:

defr.JPG

Map it:

defr.JPG

Check it:

defr.JPG

Test it in Logs:

defr.JPG

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

Regarding mapping i got the concept. but still I am not able to see the UserID in the console. based on raw event can you please advise.

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: UUID Problem

Hi Rashid,

Please attach the complete sample raw log and the Get Additional Data Names. I will check it out

0 Likes
Reply
Rashid470102 Absent Member.
Absent Member.

Re: UUID Problem

I will revert bakc to you today shortly

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.