NetWitness Community

MaximilianoCitt · ‎2019-12-13

Hi all, I have a customer who is running Kaspersky and he doesn't have access to the SQL Express instance (it seems that the kaspersky solution install and creates it own db engine with sql express, with a custom admin user and it isn't available)

The long story, shor: the customer is sending to Netwitness Log Collector (v. 11.3.2) a CEF syslog like this:

CEF:0|KasperskyLab|SecurityCenter|11.0.0.1131|GNRL_EV_VIRUS_FOUND|Se detectó un objeto malicioso|4|msg=Resultado: Detectados: HEUR:Trojan.Win32.Generic\r\nUsuario: NT AUTHORITY\\SYSTEM (Usuario del sistema)\r\nObjeto: F:\\odcavatrmwrfmgsnvrbjk.txt\r\nMotivo: Análisis de expertos\r\nFecha de lanzamiento de la base de datos: 12/13/2019 3:51:00 AM\r\nHash: 6397d76fcc16bc182173ddee33f13d5648ec2f8af8cc480640d7be5088a1a790\r\n rt=1576253094000 dhost=workstation1 dst=127.0.0.1 cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion cs4=6397d76fcc16bc182173ddee33f13d5648ec2f8af8cc480640d7be5088a1a790 cs4Label=SHA256 filePath=F:\\odcavatrmwrfmgsnvrbjk.txt cs1=HEUR:Trojan.Win32.Generic cs1Label=VirusName duser=NT AUTHORITY\\SYSTEM

everything works pretty good, but, I can't see the virusname in the metas.

I have checked the tablemap and the virusname is not transient.

I think I need to map the cs1 to virusname meta, but, the cs1 field is used for other thing depending on the type of message.

Is there any way to tell the CEF parser "if the csLabel is virusname, then cs1 value goes to virunams meta"?

regards,

Max

Anonymous · ‎2019-12-13

Hi Max,

Yes, you can tailor what CEF keys go to which meta, including cs1. See here.https://community.rsa.com/docs/DOC-79189

Thanks,

Guy

MaximilianoCitt · ‎2019-12-13

Guy, thank you for your reply. I was wondering.... if there are many events with cs1 and in one case cs1 is used to diplay virusname and in another event cs1 is used to, let's say, protection rule name...how the custom cef parser can differentiate that? the only reference I have in the event is the cs1label.

Anonymous · ‎2019-12-13

HI Max,

Let me look into that. I'll also get the doc updated with an answer.

Thanks,

Guy

ShishirKumar1 · ‎2019-12-13

Hi Max,

The answer is there in the link shared by Williams above. Please find the info below:

Override Existing CEF Tag to NetWitness Meta Tag Mapping For a Specific Device

To change existing CEF tag to NetWitness Meta key mapping defined in ExtentionKey for just one device, create a new or an overriding device2meta tag in cef-custom.xml as shown below.

The following code is in cef.xml:

:
<ExtensionKey cefName="proto" metaName="protocol">
<device2meta device="rsaflow" metaName="ip_proto"/>
</ExtensionKey>
:

To change the CEF tag proto to be mapped to a new key, proto1, instead of the original ip_proto for the rsaflow device, add the following code to cef-custom.xml:

In this case, you are changing CEF tag proto to be mapped to a new key, proto1, instead of the original, ip_proto, for device “rsaflow”.

Hope this helps !

MaximilianoCitt · ‎2019-12-13

Hi Guy, if you're going to check the doc, it will be great to clarify a little bit in how the decoder and the cef parser works, becasue I'm a little confused about how the cef field - metakey mapping works... for example, in the event I have posted, there is a cs1=HEUR:Trojan.Win32.Generic and cs1Label=VirusName. That means the decoder and cef parser will map the extension key "virusname" to the given metakey? because I have created a cef-custom.xml with the following but it seems it isn't working.... bellow my cef-custom

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

MaximilianoCitt · ‎2019-12-13

Thank you for your reply Shishir, but I'm consfused about that document...I have explained in a little more detail to Guy's reply

regards!

JayShah · ‎2019-12-16

Hi Max,

For example: cs1=HEUR:Trojan.Win32.Generic and cs1Label=VirusName and for the same event source(example checkpointfw1) there is cs1=Scanner and cs1Label=ApplicationName.

You need to map the cs1 field in the cef-custom.xml

So the meta for a certain event source for cs1 field is based on the label definition and otherwise by default in the above example it is going into cs_fld.

Now if you are also collecting logs from another event source (example:akamaikona) where

cs1=Networkpolicy and cs1Label=PolicyName.

Updated cef-custom.xml:

Hope this helps.

NetWitness Community

Help with CEF custom fields

Override Existing CEF Tag to NetWitness Meta Tag Mapping For a Specific Device