Anonymous_User Absent Member.
Absent Member.
344 views

how to parsing these fields and how to write the correlation


Dear all,

Customer have a monitor exchange configuration violation correlation
rules requirement. Detail description is following:
When exchange administrator or unauthorization person stealthily
configure a mailbox transport rule in exchange transport rule into
console, for example: He build a rule named "tran-f-ceo-muser", all ceo
outgoing mails will stealthily BCC to stevezeng@soclab.novell and
admin@soclab.novell, but ceo and anyone don`t know the hidden action,
so I use sentinel to MSExchange CmdletLogs, But I encounter a issue, in
this case, exchange logs administrator: exadmin do this configuration
and setup ceo(from=ceo@soclab.novell) send out any mail , exchange will
BCC mail to stevezeng and
admin(BlindCopyTo={stevezeng@soclab.novell,admin@soclab.novell}}),
exchange administrator can setup from={A user,B user,C user......}, and
can also setup BlindCopyTo={A,B,C,D....} multiple mailbox user.
management and IT manager need real time to know which configuration is
compliance and which configuration actions are unathorization, for
example, CEO had approved his assistant(cathy@soclab.novell) can receive
and open CEO`s email, But others(stevezeng@soclab.novell and
admin@soclab.novell ) can not receive his email via BCC.

I have some trouble issues as following:
1. if BlindCopyTo or From user have multiple, {A@domail.name ,
B@domain.com, C@domain.com ,.....}, which sentinel fields can map to
these usernames and domains?
2. If we use two fields named sun and dun, I resumed we will not use
multiple fields to map these username, then sun field perhaps value are:
{admin@soclab.novell, stevezeng@soclab.novell, huchang@soclab.novell,
......}, dun field value is : ceo@soclab.novell, how can i write the
correlation rule?

s_RXBufferString field message(have do some dispose) in my dump file
seems like as following:

"Index:81EntryType:InformationInstanceId:1073741825Message:Cmdlet
suceeded. Cmdlet New-TransportRule, parameters
{Name=tran-f-ceo-bcc-muser, Comments=, Priority=0, Enabled=True,
From={ceo@soclab.novell}, BlindCopyTo={stevezeng@soclab.novell,
admin@soclab.novell}}.Category:GeneralCategoryNumber:1ReplacementStrings:{New-TransportRule,
{Name=tran-f-ceo-bcc-muser, Comments=, Priority=0, Enabled=True,
From={ceo@soclab.novell}, BlindCopyTo={stevezeng@soclab.novell,
admin@soclab.novell}}, soclab.novell/Users/exadmin,
S-1-5-21-3874457998-3291786455-3773857442-1104,
S-1-5-21-3874457998-3291786455-3773857442-1104, ServerRemoteHost-EMC,
7780, , 171, 00:00:00.1718728, View Entire Forest: 'True', Configuration
Domain Controller: 'ADServer.soclab.novell', Preferred Global Catalog:
'ADServer.soclab.novell', Preferred Domain Controllers: '{
ADServer.soclab.novell }', , , }Source:MSExchange
CmdletLogsTimeGenerated:8/16/2013 9:45:07 AMTimeWritten:8/16/2013
9:45:07 AMUserName:"

My portion collector development section into release.js is following:

Record.prototype.preParse = function(e) {

if (this.CONNECTION_ERROR != null) {
return false;
}

this.msg = "";
if (this.CONNECTION_METHOD == "FILE") {
this.msg = this.s_RXBufferString.trim();
}


return true;
}


Record.prototype.parse = function(e){
if (this.s_RXBufferString == "" || this.s_RXBufferString.length == 0
) {
return false;
}

this.msg = this.msg.replace(/ /g,'');
this.msg = this.msg.replace(/\r\n/g,'');
this.msg = this.msg.replace(/\n/g,'');
this.msg = this.msg.replace(/\s+:\s/g,':');
this.msg = this.msg.replace(/\s+:/g,':');
if
(/^Index.*New-TransportRule.*ReplacementStrings\:\{New-TransportRule,
\{Name\=(.*), Comments\=.*Enabled\=(.*), From\=\{(.*)\},
BlindCopyTo\=\{(.*)\}\}, (.*), S\-[\d\-]+, S\-[\d\-]+.*Configuration
Domain Controller\: '(.*)', Preferred Global
Catalog.*CmdletLogsTimeGenerated\:(.*)TimeWritten\:.*UserName.*$/.test(this.msg))
{
this.evt = "New-TransportRule";
this.cv21 = RegExp.$1;
this.cv22 = RegExp.$2;
var dmails = RegExp.$3;
if (dmails.valueOf != "" || dmails.length !=0){
var dmail = dmails.split(",");
if (dmail.length == 1){
this.temail = dmail[0];
var tmptemail = dmail[0].split("@");
this.dun = tmptemail[0];
this.rv45 = tmptemail[1];
}else if (dmail.length > 1){
this.dun = dmails;
}
}
var smails = RegExp.$4;
if (smails.valueOf != "" || dmails.length !=0){
var smail = smails.split(",");
if (smail.length == 1){
this.iemail = smail[0];
var tmpiemail = smail[0].split("@");
this.sun = tmpiemail[0];
this.rv35 = tmpiemail[1];
}else if (smail.length > 1){
this.sun = smails;
}
}

this.euname = RegExp.$5;
this.dhn = RegExp.$6;
var dt1 = RegExp.$7;
var devEvtTime = new Date(dt1);
e.setObserverEventTime(devEvtTime);
return true;
} else if
(/^Index.*Set-TransportRule.*ReplacementStrings:\{(.*)\.\.\.\}Source:.*UserName.*$/.test(this.msg))
{
this.evt = "Set-TransportRule";
var tmpstr = RegExp.$1;

return true;
}else if
(/^Operation.*LogonType.*Delegate.*ClientIPAddress.*:\s(\d+\.\d+\.\d+\.\d+)ClientMachineName.*MailboxOwnerUPN.*:\s(\S+).*MailboxOwnerSid.*LogonUserDisplayName.*:\s(\S+).*LogonUserSid.*MailboxResolvedOwnerName.*:\s(\S+).*LastAccessed.*$/.test(this.msg))
{
this.evt = "Delegate";
this.sip = RegExp.$1;
this.temail = RegExp.$2;
this.sun = RegExp.$3;
this.dun = RegExp.$4;
return true;
} else {
return false;
}

}


Record.prototype.normalize = function(e){

instance.SEND_EVENT = true;
return true;
}

Record.prototype.postParse = function(e){

return true;
}


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48412

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: how to parsing these fields and how to write the correlation

Before taking any of this too seriously, consider that i do not entirely
understand this event or the business case behind it.

On 08/16/2013 09:14 AM, steve zeng wrote:
> I have some trouble issues as following:
> 1. if BlindCopyTo or From user have multiple, {A@domail.name ,
> B@domain.com, C@domain.com ,.....}, which sentinel fields can map to
> these usernames and domains?


Have you tried adding these values into ExtendedInformtion, if nothing
else? I'm not sure where they belong otherwise.

> 2. If we use two fields named sun and dun, I resumed we will not use
> multiple fields to map these username, then sun field perhaps value are:
> {admin@soclab.novell, stevezeng@soclab.novell, huchang@soclab.novell,
> .....}, dun field value is : ceo@soclab.novell, how can i write the
> correlation rule?


sun should probably always be a single user in the system. If there are
multiple other users being affected (also seems unlikely) by one change (I
would not personally consider setting multiple recipients on an e-mail or
something as multiple destination users, but rather modifying the rule of
one user who is the destination user to then spam other unrelated users)
then perhaps generate multiple events from this one.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.