This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to escape backslash CEF parser audit logging in NetWitness

KEVINDIENST
Beginner
Beginner

‎2018-05-22 11:00 AM

Scenario:

We have CEF audit logging enabled. 

Usernames are not parsed correctly since it removes the backslash for the active directory domain and concatenates the domain and username. 

 

i.e. 

Domain is CONTOSO

Username is BLARGH

 

result for user.src in CEF audit log 

contosoblargh

 

What I need is to split on CONTOSO\ and only have the actual username in the user.src key. 

 

Obviously for default admin/service accounts that are local it doesn't apply and parses fine. 

 

Any ideas?

Stephanie Rojas

0 Likes
6 REPLIES 6

EricPartington
Employee
Employee

‎2018-05-22 04:15 PM

The events are parsed via the CEF parser then I’m guessing?

 

What is the raw field for the user name that is getting collapsed? Can you share the raw CEF to test/play with?

 

Can you trace that field to cef.xml (are there any cef-custom.xml at play?) and to table-map(-custom).xml to see what the flow is?

 

If required you could post process that field for a specific device.type to split the user on known domains and create just the user (and put the domain in another field).

 

Seeing the raw would be handy

 

Then we can check the RFE to make sure the slash is carried through.

 

Eric

0 Likes

KEVINDIENST
Beginner
Beginner
In response to EricPartington

‎2018-05-23 02:58 PM

Raw CEF log event

May 23 2018 18:38:18 epoc-sa01 CEF:0|RSA|Security Analytics Audit|10.6.5.1|DATA_ACCESS|HttpRequest|6|rt=May 23 2018 18:38:18 suser=BLARGH\labuser sourceServiceName=SA_SERVER deviceExternalId=b6db4dd6-b617-4a0a-beee-ccb352e1b976 deviceProcessName=SA_SERVER outcome=Success

 

sessionid

    =    

6728489709983

time

    =    

2018-05-23T18:38:20.0

size

    =    

332

lc.cid

    =    

"LAB04"

device.ip

    =    

REDACTED

ipaddresses

    =    

REDACTED

device.type

    =    

"securityanalytics"

collectionMethod

    =    

"syslog"

device.class

    =    

"Analysis"

event.time.str

    =    

"May 23 2018 18:38:18"

product

    =    

"Security Analytics Audit"

version

    =    

"10.6.5.1"

event.type

    =    

"DATA_ACCESS"

event.desc

    =    

"HttpRequest"

severity

    =    

"6"

user.src

    =    

"BLARGHlabuser"

usernames

    =    

"BLARGHlabuser"

service.name

    =    

"SA_SERVER"

process

    =    

"SA_SERVER"

result

    =    

"Success"

event.name

    =    

"HttpRequest"

event.time

    =    

2018-05-23 18:38:18.000

usb.parser

    =    

"CEF"

msg.id

    =    

"securityanalytics"

event.cat.name

    =    

"Other.Default"

 

I've redacted a few meta keys and actual values just to prevent data leakage. 

0 Likes

EricPartington
Employee
Employee
In response to KEVINDIENST

‎2018-07-05 01:27 PM

Seems to be a bug in the CEF parser, have created an ticket to have that looked at an fixed if possible.

KEVINDIENST
Beginner
Beginner
In response to EricPartington

‎2018-07-10 12:24 PM

Thanks Eric, do you have the ticket handy? I'd like to open a case on my end and provide the Jira to my DSE to track. 

0 Likes

EricPartington
Employee
Employee

‎2018-07-10 12:25 PM

KEVINDIENST
Beginner
Beginner
In response to EricPartington

‎2018-09-18 01:48 PM

I believe this is fixed in 11.2? Is that correct? I've got 11.1.0.3 in my UAT environment and I'm still seeing the CEF escape issue. I'll verify again today. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.