In RSA NetWitness Platform 11.1.0.0 release, a new windows parser has been introduced. This parser helps parse logs that are collected from Windows event sources via the RSA NetWitness Endpoint Agent.
The agent acts as a threat detection solution that detects malware, highlights suspicious activity for investigation, and instantly determines the scope of compromise to help security teams stop advanced threats faster.
Supported Windows OS Versions:
The Endpoint Agent can be deployed on windows laptops, workstations, servers, or any system, physical or virtual. The supported operating systems are:
- Windows 7,8,8.1,10
- Windows Server 2008,2012,2016
Structure of Endpoint Agent Log:
The RSA NetWitness Endpoint agent generates syslog formatted logs. The format and structure of logs is displayed in the image below:
Every windows log collected through the NetWitness Endpoint Agent has multiple tags with space as a delimiter. Every log has a header and payload part.
Header definition:
%MSWIN-Security-4672
Payload definition:
Agent=NWE AgentIP=1.1.1.1 AgentComputer=Srv01 AgentTime=2018-01-16T18:08:01.5144951Z TimeCreatedSystemTime=2018-01-16T18:06:56.0309840Z EventID=4672 Provider="Microsoft Windows security auditing." Channel=Security Level=Information Task="Special Logon" OpCode=Info Version=0 Keyword="Audit Success" ProcessID=460 Computer=Srv01 RecordId=34819 SubjectUser="NT AUTHORITY\SYSTEM" SubjectUserName=SYSTEM SubjectDomainName="NT AUTHORITY" SubjectLogonId=0x3e7 PrivilegeList="SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege" Message="Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege"
Payload contains all the tags which Microsoft Windows generates on an occurrence of any event. Message tag renders complete raw information of that particular event.
The logs generated from supported windows machines via NetWitness Endpoint Agent are parsed against latest NetWitness Windows parser. NetWitness Windows parser supports parsing of every log identified by every Microsoft Windows channels.
This blog is intended to help a user understand the various meta key designed/used in latest NetWitness Windows parser .Specifically, it highlights on meta key usage of major Microsoft Windows channel types such as System, Security and Application.
NetWitness Meta Key usage for Microsoft Windows tags:
We have collected different varieties of tags from Microsoft Windows and the tags important from security perspective are listed below. The tags are mapped strictly to NetWitness defined Meta keys.
Meta data used in windows parser for Security channels are:
Microsoft Windows Security Channel Tags | NetWitness Meta Key |
Agent | client |
AgentIP | alias.ip |
AgentComputer | alias.host |
AgentTime | event.time.str |
TimeCreatedSystemTime | event.time |
EventID | reference.id |
Provider | event.source |
Channel | event.log |
Level | severity |
Task | category |
Version | version |
ProcessID | process.id |
Computer | event.computer |
Message | event.desc |
Keyword | event.type |
SubjectDomainName | domain.src |
ProviderName | event.source |
AlgorithmName | crypto |
ReturnCode | result.code |
SubjectUser | event.user |
TargetUser | user |
ParentProcessName | process.src |
LogonType | logon.type |
SubjectUserName | user.src |
TargetUserName | user.dst |
TargetDomainName | domain.dst |
ProcessName | process |
IpAddress | ip.src |
IpPort | sport |
PrivilegeList | privilege |
Accesses | accesses |
Protocol | protocol |
LogonProcessName | process |
ObjectName | obj.name |
KeyName | obj.name |
ObjectServer | obj.server |
ObjectType | obj.type |
Service | service.name |
NewUacValue | change.new |
ProductName | product |
SessionId | log.session.id |
CallerProcessId | process.id.src |
TransactionId | reference.id2 |
WorkstationName | host.src |
NotificationPackageName | obj.name |
OldUacValue | change.old |
ServiceName | service.name |
Operation | action |
PreviousTime | change.old |
NewProcessId | process.id |
CallerProcessName | process.src |
TargetLogonId | log.session.id1 |
NewProcessName | process |
UserName | user |
KeyLength | index |
SecurityPackageName | obj.name |
ServiceFileName | filename |
Workstation | host.src |
ProcessId | process.id |
Categories | index |
ServiceAccount | service.account |
KeyFilePath | directory |
NewTime | change.new |
TargetServerName | host.dst |
AuthenticationPackageName | auth.method |
ImpersonationLevel | obj.name |
CommandLine | param |
DisplayName | fullname |
The Meta data used in windows parser for System channels are as below:
Microsoft Windows System Channel Tags | NetWitness Meta Key |
TimeCreatedSystemTime | event.time |
EventID | reference.id |
Provider | event.source |
Channel | event.log |
Level | severity |
Version | version |
ProcessID | process.id |
Computer | event.computer |
Message | event.desc |
User | user |
DeviceName | device.name |
Status | result.code |
ProcessPid | process.id |
StopTime | endtime |
Ipaddress | ip.src |
ExtensibleModulePath | directory |
FilePath | directory |
GUID | log.session.id1 |
Reason | result |
ErrorDescription | result |
DeviceName | device.name |
Group | group |
Status | disposition |
ErrorCode | result.code |
DCName | domain |
ProcessPath | directory |
ErrorMessage | index |
The Meta data used in windows parser for Application channels are as below:
Microsoft Windows Application Channel Tags | NetWitness Meta Key |
TimeCreatedSystemTime | event.time |
EventID | reference.id |
Provider | event.source |
Channel | event.log |
Level | severity |
Version | version |
ProcessID | process.id |
Computer | event.computer |
Message | event.desc |
User | user |
Apart from the keys listed above, RSA NetWitness supports customers to collect value from log in their custom meta keys using custom parser methodology. Custom parser helps RSA NetWitness customers to define their own meta keys to collect values from logs.
Comparison of usage of NetWitness meta keys between winevent_nic and windows parser
NetWitness Windows parser provides following additional advantages while compared with winevent_nic parser.
- No Unknowns : None of the windows logs collected using Netwitness Endpoint Agent goes unknown
- Low parsing time :Based on our performance test, it is found that parsing time of windows parser is less compared to Winevent_nic parser.
Below is the comparison of meta key usage for Windows Security Event Id 4672. The screenshot on left is the old parsing windows logs and the screenshot on right is new windows parsing logs via NetWitness Endpoint Agent.
As assisted by
2 Comments
