This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Why Sysmon when you have NWE

Anonymous
Not applicable
‎2017-03-10 10:03 AM

Eric Partington mentioned on his recent post Log - Sysmon 6 Windows Event Collection that a lot is being said about the use of Sysmon with logging solutions. 

 

As Incident Responders or even as simple malicious activity hunters one of the key sources of data we rely on daily is the ability to track all command execution and endpoint activity. Here at RSA we use NWE’s Behavioral Tracking to give the level of visibility that is comparable to what Sysmon is doing. Due to the importance of this type of visibility and the buzz that Sysmon is generating in having this data on your SIEM/Log solution, I felt that it is important to provide some guidance on how you can accomplish the same thing using NWE.

 

If you already have NWE deployed to your endpoints there is no need to configure or manage another solution. The question that needs to be answered is how to retrieve this data from NWE to feed your SIEM/Log solution. This is indeed possible, and with a little help from colleagues and peers (I can name you if you want) I started to play with an SQL query to retrieve such data from the NWE database. The following query is suitable to import NWE data into a SIEM/Log Management solution:

 

SELECT * FROM (SELECT 
      SE.PK_WinTrackingEvents,
      SE.EventUTCTIme,
      MA.MacAddress as src_mac,
      MA.LocalIp as src_ip,
      MA.MachineName,
      LOWER(PA.Path + FN.FileName) AS Source,
      MO.HashSHA256,
      LA.LaunchArguments AS SLA,
      CASE        
            WHEN SE.BehaviorFileOpenPhysicalDrive = 1 THEN 'OpenPhysicalDrive'
            WHEN SE.BehaviorFileReadDocument = 1 THEN 'ReadDocument'
            WHEN SE.BehaviorFileWriteExecutable = 1 THEN 'WriteExecutable'
            WHEN SE.BehaviorFileRenameToExecutable = 1 THEN 'RenameExecutable'
            WHEN SE.BehaviorProcessCreateProcess = 1 THEN 'CreateProcess'
            WHEN SE.BehaviorProcessCreateRemoteThread = 1 THEN 'CreateRemoteThread'
            WHEN SE.BehaviorProcessOpenOSProcess = 1 THEN 'OpenOSProcess'
            WHEN SE.BehaviorProcessOpenProcess = 1 THEN 'OpenProcess'
            WHEN SE.BehaviorFileSelfDeleteExecutable = 1 THEN 'SelfDelete'
            WHEN SE.BehaviorFileDeleteExecutable = 1 THEN 'DeleteExecutable'
            WHEN SE.BehaviorRegistryModifyBadCertificateWarningSetting = 1 THEN 'ModifyBadCertificateWarningSetting'
            WHEN SE.BehaviorRegistryModifyFirewallPolicy = 1 THEN 'ModifyFirewallPolicy'
            WHEN SE.BehaviorRegistryModifyInternetZoneSettings = 1 THEN 'ModifyInternetZoneSettings'
            WHEN SE.BehaviorRegistryModifyIntranetZoneBrowsingNotificationSetting = 1 THEN 'ModifyIntranetZoneBrowsingNotificationSetting'
            WHEN SE.BehaviorRegistryModifyLUASetting = 1 THEN 'ModifyLUASetting'
            WHEN SE.BehaviorRegistryModifyRegistryEditorSetting = 1 THEN 'ModifyRegistryEditorSetting'
            WHEN SE.BehaviorRegistryModifyRunKey = 1 THEN 'ModifyRunKey '
            WHEN SE.BehaviorRegistryModifySecurityCenterConfiguration = 1 THEN 'ModifySecurityCenterConfiguration'
            WHEN SE.BehaviorRegistryModifyServicesImagePath = 1 THEN 'ModifyServicesImagePath'
            WHEN SE.BehaviorRegistryModifyTaskManagerSetting = 1 THEN 'ModifyTaskManagerSetting'
            WHEN SE.BehaviorRegistryModifyWindowsSystemPolicy = 1 THEN 'ModifyWindowsSystemPolicy'
            WHEN SE.BehaviorRegistryModifyZoneCrossingWarningSetting = 1 THEN 'ModifyZoneCrossingWarningSetting'
      END AS Action,
      LOWER(SE.Path_Target + SE.FileName_Target) AS Destination,
      SE.LaunchArguments_Target AS TLA,
      se.HashSHA256_Target
FROM  
      dbo.WinTrackingEvents_P1 AS SE WITH(NOLOCK) 
      INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = SE.FK_Machines
      INNER JOIN dbo.MachineModulePaths AS MP WITH(NOLOCK) ON MP.PK_MachineModulePaths = SE.FK_MachineModulePaths
      INNER JOIN dbo.Modules AS MO WITH(NOLOCK) ON MO.PK_Modules = MP.FK_Modules
      INNER JOIN dbo.FileNames AS FN WITH(NOLOCK) ON FN.PK_FileNames = MP.FK_FileNames
      INNER JOIN dbo.Paths AS PA WITH(NOLOCK) ON PA.PK_Paths = MP.FK_Paths
      INNER JOIN dbo.LaunchArguments AS LA WITH(NOLOCK) ON LA.PK_LaunchArguments = SE.FK_LaunchArguments__SourceCommandLine
UNION
SELECT 
      SE.PK_WinTrackingEvents,
      SE.EventUTCTIme,
      MA.MacAddress as src_mac,
      MA.LocalIp as src_ip,
      MA.MachineName,
      LOWER(PA.Path + FN.FileName) AS Source,
      MO.HashSHA256,
      LA.LaunchArguments AS SLA,
      CASE        
            WHEN SE.BehaviorFileOpenPhysicalDrive = 1 THEN 'OpenPhysicalDrive'
            WHEN SE.BehaviorFileReadDocument = 1 THEN 'ReadDocument'
            WHEN SE.BehaviorFileWriteExecutable = 1 THEN 'WriteExecutable'
            WHEN SE.BehaviorFileRenameToExecutable = 1 THEN 'RenameExecutable'
            WHEN SE.BehaviorProcessCreateProcess = 1 THEN 'CreateProcess'
            WHEN SE.BehaviorProcessCreateRemoteThread = 1 THEN 'CreateRemoteThread'
            WHEN SE.BehaviorProcessOpenOSProcess = 1 THEN 'OpenOSProcess'
            WHEN SE.BehaviorProcessOpenProcess = 1 THEN 'OpenProcess'
            WHEN SE.BehaviorFileSelfDeleteExecutable = 1 THEN 'SelfDelete'
            WHEN SE.BehaviorFileDeleteExecutable = 1 THEN 'DeleteExecutable'
            WHEN SE.BehaviorRegistryModifyBadCertificateWarningSetting = 1 THEN 'ModifyBadCertificateWarningSetting'
            WHEN SE.BehaviorRegistryModifyFirewallPolicy = 1 THEN 'ModifyFirewallPolicy'
            WHEN SE.BehaviorRegistryModifyInternetZoneSettings = 1 THEN 'ModifyInternetZoneSettings'
            WHEN SE.BehaviorRegistryModifyIntranetZoneBrowsingNotificationSetting = 1 THEN 'ModifyIntranetZoneBrowsingNotificationSetting'
            WHEN SE.BehaviorRegistryModifyLUASetting = 1 THEN 'ModifyLUASetting'
            WHEN SE.BehaviorRegistryModifyRegistryEditorSetting = 1 THEN 'ModifyRegistryEditorSetting'
            WHEN SE.BehaviorRegistryModifyRunKey = 1 THEN 'ModifyRunKey '
            WHEN SE.BehaviorRegistryModifySecurityCenterConfiguration = 1 THEN 'ModifySecurityCenterConfiguration'
            WHEN SE.BehaviorRegistryModifyServicesImagePath = 1 THEN 'ModifyServicesImagePath'
            WHEN SE.BehaviorRegistryModifyTaskManagerSetting = 1 THEN 'ModifyTaskManagerSetting'
            WHEN SE.BehaviorRegistryModifyWindowsSystemPolicy = 1 THEN 'ModifyWindowsSystemPolicy'
            WHEN SE.BehaviorRegistryModifyZoneCrossingWarningSetting = 1 THEN 'ModifyZoneCrossingWarningSetting'
      END AS Action,
      LOWER(SE.Path_Target + SE.FileName_Target) AS Destination,
      SE.LaunchArguments_Target AS TLA,
      se.HashSHA256_Target
FROM  
      dbo.WinTrackingEvents_P0 AS SE WITH(NOLOCK) 
      INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = SE.FK_Machines
      INNER JOIN dbo.MachineModulePaths AS MP WITH(NOLOCK) ON MP.PK_MachineModulePaths = SE.FK_MachineModulePaths
      INNER JOIN dbo.Modules AS MO WITH(NOLOCK) ON MO.PK_Modules = MP.FK_Modules
      INNER JOIN dbo.FileNames AS FN WITH(NOLOCK) ON FN.PK_FileNames = MP.FK_FileNames
      INNER JOIN dbo.Paths AS PA WITH(NOLOCK) ON PA.PK_Paths = MP.FK_Paths
      INNER JOIN dbo.LaunchArguments AS LA WITH(NOLOCK) ON LA.PK_LaunchArguments = SE.FK_LaunchArguments__SourceCommandLine) t 
WHERE PK_WinTrackingEvents > ? ORDER By PK_WinTrackingEvents ASC‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

 

In this query the question mark “?” at the end of the last line needs to be automatically replaced by the previous highest entry already collected with the previous query execution. Each solution will have its own way of tracking and processing this query. In some solutions you may only need the portion between the main ()s group as they will build the rest automatically. Other solutions will probably require more work/tweaking.

 

For Netwitness for Logs, Chris Thomas‌ created a post here with all the details needed to accomplish this integration. I'm sure the same can be done with Splunk, ArcSight, Elastic, <insert your favorite solution here> so please feel free to post your experience to the comments section of this post.

 

Happy Hunting,

 

Rui

4 Comments
Anonymous
Not applicable
‎2017-03-13 03:00 PM
‎2017-03-13 03:00 PM

Here's a configuration example for use with Logstash on an ELK stack. Please follow your Logstash/ELK documentation on how to deploy the JDBC plug-in and other configurations, the MSSQL JDBC drivers will need to be installed. The main point the query needed a bit of tweaking in terms of the hash fields.

 

input {
  jdbc {
    jdbc_driver_library => "/opt/logstash/driver/sqljdbc_6.0/enu/jre8/sqljdbc42.jar"
    jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
    jdbc_connection_string => "jdbc:sqlserver://<ip>\\<servername>:1433;databaseName=ECAT$PRIMARY"
    jdbc_user => "user"
    jdbc_password => "password"
    type => "nwe"
    schedule => "* * * * *"
    use_column_value => true
    tracking_column => pk_wintrackingevents
    statement => "SELECT * FROM (SELECT SE.PK_WinTrackingEvents as PK_WinTrackingEvents, SE.EventUTCTIme, MA.MacAddress as src_mac, MA.LocalIp as src_ip, MA.MachineName, LOWER(PA.Path + FN.FileName) AS Source, CONVERT(varchar(64),MO.HashSHA256,2) as SHA256, LA.LaunchArguments AS SLA, CASE        WHEN SE.BehaviorFileOpenPhysicalDrive = 1 THEN 'OpenPhysicalDrive' WHEN SE.BehaviorFileReadDocument = 1 THEN 'ReadDocument' WHEN SE.BehaviorFileWriteExecutable = 1 THEN 'WriteExecutable' WHEN SE.BehaviorFileRenameToExecutable = 1 THEN 'RenameExecutable' WHEN SE.BehaviorProcessCreateProcess = 1 THEN 'CreateProcess' WHEN SE.BehaviorProcessCreateRemoteThread = 1 THEN 'CreateRemoteThread' WHEN SE.BehaviorProcessOpenOSProcess = 1 THEN 'OpenOSProcess' WHEN SE.BehaviorProcessOpenProcess = 1 THEN 'OpenProcess' WHEN SE.BehaviorFileSelfDeleteExecutable = 1 THEN 'SelfDelete' WHEN SE.BehaviorFileDeleteExecutable = 1 THEN 'DeleteExecutable' WHEN SE.BehaviorRegistryModifyBadCertificateWarningSetting = 1 THEN 'ModifyBadCertificateWarningSetting' WHEN SE.BehaviorRegistryModifyFirewallPolicy = 1 THEN 'ModifyFirewallPolicy' WHEN SE.BehaviorRegistryModifyInternetZoneSettings = 1 THEN 'ModifyInternetZoneSettings' WHEN SE.BehaviorRegistryModifyIntranetZoneBrowsingNotificationSetting = 1 THEN 'ModifyIntranetZoneBrowsingNotificationSetting' WHEN SE.BehaviorRegistryModifyLUASetting = 1 THEN 'ModifyLUASetting' WHEN SE.BehaviorRegistryModifyRegistryEditorSetting = 1 THEN 'ModifyRegistryEditorSetting' WHEN SE.BehaviorRegistryModifyRunKey = 1 THEN 'ModifyRunKey ' WHEN SE.BehaviorRegistryModifySecurityCenterConfiguration = 1 THEN 'ModifySecurityCenterConfiguration' WHEN SE.BehaviorRegistryModifyServicesImagePath = 1 THEN 'ModifyServicesImagePath' WHEN SE.BehaviorRegistryModifyTaskManagerSetting = 1 THEN 'ModifyTaskManagerSetting' WHEN SE.BehaviorRegistryModifyWindowsSystemPolicy = 1 THEN 'ModifyWindowsSystemPolicy' WHEN SE.BehaviorRegistryModifyZoneCrossingWarningSetting = 1 THEN 'ModifyZoneCrossingWarningSetting' END AS Action, LOWER(SE.Path_Target + SE.FileName_Target) AS Destination, SE.LaunchArguments_Target AS TLA, CONVERT(varchar(64),se.HashSHA256_Target,2) as SHA256_Target FROM  dbo.WinTrackingEvents_P1 AS SE WITH(NOLOCK) INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = SE.FK_Machines INNER JOIN dbo.MachineModulePaths AS MP WITH(NOLOCK) ON MP.PK_MachineModulePaths = SE.FK_MachineModulePaths INNER JOIN dbo.Modules AS MO WITH(NOLOCK) ON MO.PK_Modules = MP.FK_Modules INNER JOIN dbo.FileNames AS FN WITH(NOLOCK) ON FN.PK_FileNames = MP.FK_FileNames INNER JOIN dbo.Paths AS PA WITH(NOLOCK) ON PA.PK_Paths = MP.FK_Paths INNER JOIN dbo.LaunchArguments AS LA WITH(NOLOCK) ON LA.PK_LaunchArguments = SE.FK_LaunchArguments__SourceCommandLine UNION SELECT SE.PK_WinTrackingEvents as PK_WinTrackingEvents, SE.EventUTCTIme, MA.MacAddress as src_mac, MA.LocalIp as src_ip, MA.MachineName, LOWER(PA.Path + FN.FileName) AS Source, CONVERT(varchar(64),MO.HashSHA256,2) as SHA256, LA.LaunchArguments AS SLA, CASE        WHEN SE.BehaviorFileOpenPhysicalDrive = 1 THEN 'OpenPhysicalDrive' WHEN SE.BehaviorFileReadDocument = 1 THEN 'ReadDocument' WHEN SE.BehaviorFileWriteExecutable = 1 THEN 'WriteExecutable' WHEN SE.BehaviorFileRenameToExecutable = 1 THEN 'RenameExecutable' WHEN SE.BehaviorProcessCreateProcess = 1 THEN 'CreateProcess' WHEN SE.BehaviorProcessCreateRemoteThread = 1 THEN 'CreateRemoteThread' WHEN SE.BehaviorProcessOpenOSProcess = 1 THEN 'OpenOSProcess' WHEN SE.BehaviorProcessOpenProcess = 1 THEN 'OpenProcess' WHEN SE.BehaviorFileSelfDeleteExecutable = 1 THEN 'SelfDelete' WHEN SE.BehaviorFileDeleteExecutable = 1 THEN 'DeleteExecutable' WHEN SE.BehaviorRegistryModifyBadCertificateWarningSetting = 1 THEN 'ModifyBadCertificateWarningSetting' WHEN SE.BehaviorRegistryModifyFirewallPolicy = 1 THEN 'ModifyFirewallPolicy' WHEN SE.BehaviorRegistryModifyInternetZoneSettings = 1 THEN 'ModifyInternetZoneSettings' WHEN SE.BehaviorRegistryModifyIntranetZoneBrowsingNotificationSetting = 1 THEN 'ModifyIntranetZoneBrowsingNotificationSetting' WHEN SE.BehaviorRegistryModifyLUASetting = 1 THEN 'ModifyLUASetting' WHEN SE.BehaviorRegistryModifyRegistryEditorSetting = 1 THEN 'ModifyRegistryEditorSetting' WHEN SE.BehaviorRegistryModifyRunKey = 1 THEN 'ModifyRunKey ' WHEN SE.BehaviorRegistryModifySecurityCenterConfiguration = 1 THEN 'ModifySecurityCenterConfiguration' WHEN SE.BehaviorRegistryModifyServicesImagePath = 1 THEN 'ModifyServicesImagePath' WHEN SE.BehaviorRegistryModifyTaskManagerSetting = 1 THEN 'ModifyTaskManagerSetting' WHEN SE.BehaviorRegistryModifyWindowsSystemPolicy = 1 THEN 'ModifyWindowsSystemPolicy' WHEN SE.BehaviorRegistryModifyZoneCrossingWarningSetting = 1 THEN 'ModifyZoneCrossingWarningSetting' END AS Action, LOWER(SE.Path_Target + SE.FileName_Target) AS Destination, SE.LaunchArguments_Target AS TLA, CONVERT(varchar(64),se.HashSHA256_Target,2) as SHA256_Target FROM  dbo.WinTrackingEvents_P0 AS SE WITH(NOLOCK) INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = SE.FK_Machines INNER JOIN dbo.MachineModulePaths AS MP WITH(NOLOCK) ON MP.PK_MachineModulePaths = SE.FK_MachineModulePaths INNER JOIN dbo.Modules AS MO WITH(NOLOCK) ON MO.PK_Modules = MP.FK_Modules INNER JOIN dbo.FileNames AS FN WITH(NOLOCK) ON FN.PK_FileNames = MP.FK_FileNames INNER JOIN dbo.Paths AS PA WITH(NOLOCK) ON PA.PK_Paths = MP.FK_Paths INNER JOIN dbo.LaunchArguments AS LA WITH(NOLOCK) ON LA.PK_LaunchArguments = SE.FK_LaunchArguments__SourceCommandLine) t WHERE PK_WinTrackingEvents > :sql_last_value "
    jdbc_paging_enabled => "true"
    jdbc_page_size => "50000"
    clean_run => false
  }
}

 

Enjoy,

 

Rui

Anonymous
Not applicable
‎2017-03-16 05:45 AM
‎2017-03-16 05:45 AM

Next up, some details on how to do this with Splunk. You will need to follow Splunk documentation on how to install Splunk DB Connect and the MSSQL JDBC Drivers for it. Their latest documentation is here.

 

Once that is installed and running you will need to create an identity (username & password - don't forget to create an SQL User on the NWE DB for this first) to connect to the NWE DB and a connection (DB details) as shown below:

 

DB_Connection.png

 

Once the connection is setup you can create your DB Input for data collection. The screenshot is just too big to be of any use so the resulting inputs.conf is shown below instead.

 

[mi_input://ECAT_Tracking]
connection = ECAT
enable_query_wrapping = 1
index = main
input_timestamp_column_fullname = (002) NULL.EventUTCTIme.datetime2
input_timestamp_column_name = EventUTCTIme
interval = 60
max_rows = 10000
mode = tail
output_timestamp_format = yyyy-MM-dd HH:mm:ss
query = SELECT \
      SE.PK_WinTrackingEvents,\
      SE.EventUTCTIme,\
      MA.MachineName,\
      LOWER(PA.Path + FN.FileName) AS Source,\
      MO.HashSHA256,\
      LA.LaunchArguments AS SLA,\
      CASE        \
            WHEN SE.BehaviorFileOpenPhysicalDrive = 1 THEN 'OpenPhysicalDrive'\
            WHEN SE.BehaviorFileReadDocument = 1 THEN 'ReadDocument'\
            WHEN SE.BehaviorFileWriteExecutable = 1 THEN 'WriteExecutable'\
            WHEN SE.BehaviorFileRenameToExecutable = 1 THEN 'RenameExecutable'\
            WHEN SE.BehaviorProcessCreateProcess = 1 THEN 'CreateProcess'\
            WHEN SE.BehaviorProcessCreateRemoteThread = 1 THEN 'CreateRemoteThread'\
            WHEN SE.BehaviorProcessOpenOSProcess = 1 THEN 'OpenOSProcess'\
            WHEN SE.BehaviorProcessOpenProcess = 1 THEN 'OpenProcess'\
            WHEN SE.BehaviorFileSelfDeleteExecutable = 1 THEN 'SelfDelete'\
            WHEN SE.BehaviorFileDeleteExecutable = 1 THEN 'DeleteExecutable'\
            WHEN SE.BehaviorRegistryModifyBadCertificateWarningSetting = 1 THEN 'ModifyBadCertificateWarningSetting'\
            WHEN SE.BehaviorRegistryModifyFirewallPolicy = 1 THEN 'ModifyFirewallPolicy'\
            WHEN SE.BehaviorRegistryModifyInternetZoneSettings = 1 THEN 'ModifyInternetZoneSettings'\
            WHEN SE.BehaviorRegistryModifyIntranetZoneBrowsingNotificationSetting = 1 THEN 'ModifyIntranetZoneBrowsingNotificationSetting'\
            WHEN SE.BehaviorRegistryModifyLUASetting = 1 THEN 'ModifyLUASetting'\
            WHEN SE.BehaviorRegistryModifyRegistryEditorSetting = 1 THEN 'ModifyRegistryEditorSetting'\
            WHEN SE.BehaviorRegistryModifyRunKey = 1 THEN 'ModifyRunKey '\
            WHEN SE.BehaviorRegistryModifySecurityCenterConfiguration = 1 THEN 'ModifySecurityCenterConfiguration'\
            WHEN SE.BehaviorRegistryModifyServicesImagePath = 1 THEN 'ModifyServicesImagePath'\
            WHEN SE.BehaviorRegistryModifyTaskManagerSetting = 1 THEN 'ModifyTaskManagerSetting'\
            WHEN SE.BehaviorRegistryModifyWindowsSystemPolicy = 1 THEN 'ModifyWindowsSystemPolicy'\
            WHEN SE.BehaviorRegistryModifyZoneCrossingWarningSetting = 1 THEN 'ModifyZoneCrossingWarningSetting'\
      END AS Action,\
      LOWER(SE.Path_Target + SE.FileName_Target) AS Destination,\
      SE.LaunchArguments_Target AS TLA,\
      se.HashSHA256_Target\
FROM  \
      dbo.WinTrackingEvents_P1 AS SE WITH(NOLOCK) \
      INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = SE.FK_Machines\
      INNER JOIN dbo.MachineModulePaths AS MP WITH(NOLOCK) ON MP.PK_MachineModulePaths = SE.FK_MachineModulePaths\
      INNER JOIN dbo.Modules AS MO WITH(NOLOCK) ON MO.PK_Modules = MP.FK_Modules\
      INNER JOIN dbo.FileNames AS FN WITH(NOLOCK) ON FN.PK_FileNames = MP.FK_FileNames\
      INNER JOIN dbo.Paths AS PA WITH(NOLOCK) ON PA.PK_Paths = MP.FK_Paths\
      INNER JOIN dbo.LaunchArguments AS LA WITH(NOLOCK) ON LA.PK_LaunchArguments = SE.FK_LaunchArguments__SourceCommandLine\
UNION\
SELECT \
      SE.PK_WinTrackingEvents,\
      SE.EventUTCTIme,\
      MA.MachineName,\
      LOWER(PA.Path + FN.FileName) AS Source,\
      MO.HashSHA256,\
      LA.LaunchArguments AS SLA,\
      CASE        \
            WHEN SE.BehaviorFileOpenPhysicalDrive = 1 THEN 'OpenPhysicalDrive'\
            WHEN SE.BehaviorFileReadDocument = 1 THEN 'ReadDocument'\
            WHEN SE.BehaviorFileWriteExecutable = 1 THEN 'WriteExecutable'\
            WHEN SE.BehaviorFileRenameToExecutable = 1 THEN 'RenameExecutable'\
            WHEN SE.BehaviorProcessCreateProcess = 1 THEN 'CreateProcess'\
            WHEN SE.BehaviorProcessCreateRemoteThread = 1 THEN 'CreateRemoteThread'\
            WHEN SE.BehaviorProcessOpenOSProcess = 1 THEN 'OpenOSProcess'\
            WHEN SE.BehaviorProcessOpenProcess = 1 THEN 'OpenProcess'\
            WHEN SE.BehaviorFileSelfDeleteExecutable = 1 THEN 'SelfDelete'\
            WHEN SE.BehaviorFileDeleteExecutable = 1 THEN 'DeleteExecutable'\
            WHEN SE.BehaviorRegistryModifyBadCertificateWarningSetting = 1 THEN 'ModifyBadCertificateWarningSetting'\
            WHEN SE.BehaviorRegistryModifyFirewallPolicy = 1 THEN 'ModifyFirewallPolicy'\
            WHEN SE.BehaviorRegistryModifyInternetZoneSettings = 1 THEN 'ModifyInternetZoneSettings'\
            WHEN SE.BehaviorRegistryModifyIntranetZoneBrowsingNotificationSetting = 1 THEN 'ModifyIntranetZoneBrowsingNotificationSetting'\
            WHEN SE.BehaviorRegistryModifyLUASetting = 1 THEN 'ModifyLUASetting'\
            WHEN SE.BehaviorRegistryModifyRegistryEditorSetting = 1 THEN 'ModifyRegistryEditorSetting'\
            WHEN SE.BehaviorRegistryModifyRunKey = 1 THEN 'ModifyRunKey '\
            WHEN SE.BehaviorRegistryModifySecurityCenterConfiguration = 1 THEN 'ModifySecurityCenterConfiguration'\
            WHEN SE.BehaviorRegistryModifyServicesImagePath = 1 THEN 'ModifyServicesImagePath'\
            WHEN SE.BehaviorRegistryModifyTaskManagerSetting = 1 THEN 'ModifyTaskManagerSetting'\
            WHEN SE.BehaviorRegistryModifyWindowsSystemPolicy = 1 THEN 'ModifyWindowsSystemPolicy'\
            WHEN SE.BehaviorRegistryModifyZoneCrossingWarningSetting = 1 THEN 'ModifyZoneCrossingWarningSetting'\
      END AS Action,\
      LOWER(SE.Path_Target + SE.FileName_Target) AS Destination,\
      SE.LaunchArguments_Target AS TLA,\
      se.HashSHA256_Target\
FROM  \
       dbo.WinTrackingEvents_P0 AS SE WITH(NOLOCK) \
      INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = SE.FK_Machines\
      INNER JOIN dbo.MachineModulePaths AS MP WITH(NOLOCK) ON MP.PK_MachineModulePaths = SE.FK_MachineModulePaths\
      INNER JOIN dbo.Modules AS MO WITH(NOLOCK) ON MO.PK_Modules = MP.FK_Modules\
      INNER JOIN dbo.FileNames AS FN WITH(NOLOCK) ON FN.PK_FileNames = MP.FK_FileNames\
      INNER JOIN dbo.Paths AS PA WITH(NOLOCK) ON PA.PK_Paths = MP.FK_Paths\
      INNER JOIN dbo.LaunchArguments AS LA WITH(NOLOCK) ON LA.PK_LaunchArguments = SE.FK_LaunchArguments__SourceCommandLine
source = ecatdb
sourcetype = ecat_tracking_data
tail_rising_column_fullname = (001) NULL.PK_WinTrackingEvents.bigint
tail_rising_column_name = PK_WinTrackingEvents
ui_query_mode = advanced‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

The field names are not currently Splunk CIM compliant but I'm happy to adjust them in the query if someone wants to send me the appropriate mappings. Also please adjust your source, sourcetype and index accordingly, this is all much easier to do via the Splunk DB Connect App UI.

 

Here's an example of how your data would look and what you can do with it.

 

StatsExample.png

 

Happy Hunting,

 

Rui

VladimirPrevin
Beginner
Beginner
‎2017-03-20 02:14 AM
‎2017-03-20 02:14 AM

comments/ suggestions:

very very nice but some thoughts/questions: 

edit: oh I haven't read that part carefully : The database structure used by NWE may change at any time. No testing has been done to measure the impact on performance for a production NWE Server. [I suppose the latter depends on poll intervals for ODBC and general server load] 

 

a) package it via live and make it supported. 

😃  any plans?

 b) we were previously told there were some limitations to NWE tracking NOT showing all equivalent parent/target combos. 

The answer was complicated but basically it sounded like 'only some important and unique events are shown' . Can you confirm the status for that in  4.2.0.4 and 4.3.0.1? 

c) fix NWE for logs being able to do its own collation of Process parent and target info. 

d) are there unexpected side effects from collapsing the Tracking event flags into the action column (Pretty sure they're unique per tracking event so probably ok?). Is there any way to more generically collapse it to prevent reviewing the 'interesting flags'? 

e) expose the checksums (though correlating if you pipe all the hash types into CHECKSUM) is a pain . EDIT: ah ok, nevermind : HashSHA256_Target.MO.HashSHA256,

f) expose the signer info 

g) expose basic module source/target info. (opinions on the specific flags and properties vary e.g. autorun )

^how will that integration look in SA 12 ? 

e.g. context lookup module bits. and Bits fed to SA for module and autorun info as part of tracking events. [i know you have to draw a line somewhere but what's the intention]

h) integration to open module info by hash in ECATUI? via the ECATUI:// url? 

i) how compatible are the process and cmdline Winevent_nic key values from the windows event log parser vs the LaunchArguments_Target /source?

j) any plans to extend registry path monitoring (customer defined) for NWEndpoint? 

0 Likes
Anonymous
Not applicable
‎2017-03-20 04:52 AM
‎2017-03-20 04:52 AM

Hi Vladimir,

 

Thank you for the feedback/suggestions. I believe they mostly refer to the https://community.rsa.com/community/products/netwitness/blog/2017/03/10/investigations-with-endpoint-tracking-data post and that you have seen its disclaimers.

 

A few of your items are about the NWE product itself and/or a possible official integration, with that in mind can I kindly ask you that if you haven't already done this that you please submit these via RSA support so you can have an official answer from our Product Management team and they can also effectively track your needs!

 

Thank you,

 

Rui

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.