NetWitness Community

RSAAdmin · ‎2014-01-29

Hi SA community,

I am trying to create an alert in order to be informed when the windows domain-admin changes a user-account for "never-expire"..

This is logged via event-id 4738 (security) in fact.

This event has many attributes though, the one related with my alert is under "User Account Control" attribute --> 'Don't Expire Password'

I wonder if SA keeps the related metadata of event-id 4738 ??

Has anyone experienced this kind of situation ??

Thanks

Here is an example of such event:

A user account was changed. Subject: Security ID: NTD_xxx/Andyxxx Account Name: Andyxxx Account Domain: NTD_xxx Logon ID: 0xe8d8873 Target Account: Security ID: NTD_xxx/E_ATxxx Account Name: E_ATxxx Account Domain: NTD_xxx Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x210 User Account Control: 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -

Anonymous · ‎2014-01-30

Hey Eates,

I think I can be helpful to you in this area. We are going to be looking at a couple of files here to create your alert. The first file is going to be the table-map.xml which is stored in /etc/netwitness/ng/envision/etc. Next we are going to be looking at and modifying the v20_winevent_nicmsg.xml for windows which is in /etc/netwitness/ng/envision/etc/devices/winevent_nic.

When you open the v20*.xml you are going to see what is the brains behind logs. If you do a quick search for Security_4738_Microsoft-Windows-Security-Auditing you will come to the event. I noticed right away that your log file has User Parameters: -, SID History -, Logon Hours: -. Currently SA does not parse for that log file, this can be changed very easily if you have the means to do it. At this point I would suggest being in a tool such as notepad++ for easier editing.

What you are going to want to do is add a new message above the message id of Security_4738_Microsoft-Windows-Security-Auditing:01, it will look as follows. Notice the change in id1= and the added values at the end for your event ID. You will also notice fld87 is bolded in my below message, this is the value you need to change. For this we will look in the table-map.xml, follow on below the message.

<MESSAGE

level="6"

parse="1"

parsedefvalue="1"

tableid="85"

id1="Security_4738_Microsoft-Windows-Security-Auditing:02"

id2="Security_4738_Microsoft-Windows-Security-Auditing"

eventcategory="1402020300"

content="<@ec_theme:UserGroup><@ec_subject:User><@ec_activity:Modify><@ec_outcome:Success><@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)><@event_log:*HDR(msgIdPart1)><@expiration_time:*EVNTTIME($MSG,'%G/%F/%W %N:%U:%O %P',fld8)><@event_time:*EVNTTIME($HDR,'%B %F %H:%U:%O %W',Hdatetime)><@id:*HDR(msgIdPart2)><@event_source:Microsoft-Windows-Security-Auditing><@event_type:*HDR(Hevent_type)><@event_user:*HDR(Hevent_user)><@event_computer:*HDR(Hevent_computer)><@category:*HDR(Hcategory)><@fld61:*PARMVAL(username)><@fld63:*PARMVAL(domain)><event_description> Subject: Security ID: <sid> Account Name: <username> Account Domain: <domain> Logon ID: <sessionid> Target Account: Security ID: <fld39> Account Name: <c_username> Account Domain: <c_domain> Changed Attributes: <space> SAM Account Name: <user_fullname> Display Name: <param> Password Last Set: <fld7> Account Expires: <fld8> Primary Group ID: <groupid> AllowedToDelegateTo: <fld88> Old UAC Value: <change_old> New UAC Value: <change_new> User Account Control: <fld87> User Parameters: <fld90> SID History <fld91> Logon Hours: <fld92> Additional Information: Privileges <privilege>" />

When you open up the table-map.xml you are going to see a lot of values, this is how SA maps the parsed data to meta values. You are going to need to pick a value that makes sense for you and your company. Possibly use "risk" or any value that makes sense and take note of the nwName that is associated with it. Also make note of the flags value, this will come into question in the next paragraph.

So at this point you have made the new message in the .xml and used your value from the table-map.xml. Now it is a matter of finding it, first thing is to restart the service on the log decoder, this will stop collecting momentarily but you may want to do it during a time that is deemed acceptable by your company. Now comes the next question, do you want to make this search able by an app rule or by a meta value?

If you choose a value that stated transient in the flags value it will not be searchable on your concentrator without an app rule. But what you can do is create an app rule on your decoder which will catch the log and create an alert on it. If you are using the "risk" value, the app rule would look like this.

Rule Name: Password_Non_Expiring

Condition: risk = 'Don't Expire Password'

Session Data:

Session Options: alert on alert

On the other hand if you want to index this value so it will show up in investigator you are going to need to edit the table-map.xml and set the value in flags from transient to none. You are then going to need to look into the index-concentrator.xml with in the SA interface. This can be accessed by selecting your log concentrator and selecting config. Once here go to files and pick it in the drop down.

Search for the nwName of the value that you have picked to be the meta key. For my example of risk you will see that it is not being indexed. In this case we are going to want to open the index-concentrator-custom.xml and add a new entry like below. You can rename the description to what ever you may like, this is just a human readable format. for the name=, you need to keep this at the same name as the nwName.

It is a very smart idea to push the index-concentrator-custom.xml to all of your concentrators and keep them in sync.

Once you have edited these files, table-map.xml and index-concentrator-custom.xml, you are going to want to restart the services on both the concentrator and log decoder. The log decoder as before will stop collecting momentarily while you restart it. The concentrator can be restarted and should not lose any data.

With the first method of using an app rule, you will see the alert of the log. For the second method you are going to be seeing a new meta value of Risk, or what ever you named it, in your investigator. Note: you can still use an app rule with the second method.

Please let me know if you have any questions! This is my first time giving instruction on editing parsed values to meet the needs of a company.

Note: if you are subscribed to the live update feed for envision content this will overwrite your changes when it updates. It is best to unsubscribe and push that out manually after backing up the values that you have changed in the table-map.xml and the v20*.xml.

View solution in original post

Anonymous · ‎2014-01-30

Hey Eates,

I think I can be helpful to you in this area. We are going to be looking at a couple of files here to create your alert. The first file is going to be the table-map.xml which is stored in /etc/netwitness/ng/envision/etc. Next we are going to be looking at and modifying the v20_winevent_nicmsg.xml for windows which is in /etc/netwitness/ng/envision/etc/devices/winevent_nic.

When you open the v20*.xml you are going to see what is the brains behind logs. If you do a quick search for Security_4738_Microsoft-Windows-Security-Auditing you will come to the event. I noticed right away that your log file has User Parameters: -, SID History -, Logon Hours: -. Currently SA does not parse for that log file, this can be changed very easily if you have the means to do it. At this point I would suggest being in a tool such as notepad++ for easier editing.

What you are going to want to do is add a new message above the message id of Security_4738_Microsoft-Windows-Security-Auditing:01, it will look as follows. Notice the change in id1= and the added values at the end for your event ID. You will also notice fld87 is bolded in my below message, this is the value you need to change. For this we will look in the table-map.xml, follow on below the message.

<MESSAGE

level="6"

parse="1"

parsedefvalue="1"

tableid="85"

id1="Security_4738_Microsoft-Windows-Security-Auditing:02"

id2="Security_4738_Microsoft-Windows-Security-Auditing"

eventcategory="1402020300"

content="<@ec_theme:UserGroup><@ec_subject:User><@ec_activity:Modify><@ec_outcome:Success><@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)><@event_log:*HDR(msgIdPart1)><@expiration_time:*EVNTTIME($MSG,'%G/%F/%W %N:%U:%O %P',fld8)><@event_time:*EVNTTIME($HDR,'%B %F %H:%U:%O %W',Hdatetime)><@id:*HDR(msgIdPart2)><@event_source:Microsoft-Windows-Security-Auditing><@event_type:*HDR(Hevent_type)><@event_user:*HDR(Hevent_user)><@event_computer:*HDR(Hevent_computer)><@category:*HDR(Hcategory)><@fld61:*PARMVAL(username)><@fld63:*PARMVAL(domain)><event_description> Subject: Security ID: <sid> Account Name: <username> Account Domain: <domain> Logon ID: <sessionid> Target Account: Security ID: <fld39> Account Name: <c_username> Account Domain: <c_domain> Changed Attributes: <space> SAM Account Name: <user_fullname> Display Name: <param> Password Last Set: <fld7> Account Expires: <fld8> Primary Group ID: <groupid> AllowedToDelegateTo: <fld88> Old UAC Value: <change_old> New UAC Value: <change_new> User Account Control: <fld87> User Parameters: <fld90> SID History <fld91> Logon Hours: <fld92> Additional Information: Privileges <privilege>" />

When you open up the table-map.xml you are going to see a lot of values, this is how SA maps the parsed data to meta values. You are going to need to pick a value that makes sense for you and your company. Possibly use "risk" or any value that makes sense and take note of the nwName that is associated with it. Also make note of the flags value, this will come into question in the next paragraph.

So at this point you have made the new message in the .xml and used your value from the table-map.xml. Now it is a matter of finding it, first thing is to restart the service on the log decoder, this will stop collecting momentarily but you may want to do it during a time that is deemed acceptable by your company. Now comes the next question, do you want to make this search able by an app rule or by a meta value?

If you choose a value that stated transient in the flags value it will not be searchable on your concentrator without an app rule. But what you can do is create an app rule on your decoder which will catch the log and create an alert on it. If you are using the "risk" value, the app rule would look like this.

Rule Name: Password_Non_Expiring

Condition: risk = 'Don't Expire Password'

Session Data:

Session Options: alert on alert

On the other hand if you want to index this value so it will show up in investigator you are going to need to edit the table-map.xml and set the value in flags from transient to none. You are then going to need to look into the index-concentrator.xml with in the SA interface. This can be accessed by selecting your log concentrator and selecting config. Once here go to files and pick it in the drop down.

Search for the nwName of the value that you have picked to be the meta key. For my example of risk you will see that it is not being indexed. In this case we are going to want to open the index-concentrator-custom.xml and add a new entry like below. You can rename the description to what ever you may like, this is just a human readable format. for the name=, you need to keep this at the same name as the nwName.

It is a very smart idea to push the index-concentrator-custom.xml to all of your concentrators and keep them in sync.

Once you have edited these files, table-map.xml and index-concentrator-custom.xml, you are going to want to restart the services on both the concentrator and log decoder. The log decoder as before will stop collecting momentarily while you restart it. The concentrator can be restarted and should not lose any data.

With the first method of using an app rule, you will see the alert of the log. For the second method you are going to be seeing a new meta value of Risk, or what ever you named it, in your investigator. Note: you can still use an app rule with the second method.

Please let me know if you have any questions! This is my first time giving instruction on editing parsed values to meet the needs of a company.

Note: if you are subscribed to the live update feed for envision content this will overwrite your changes when it updates. It is best to unsubscribe and push that out manually after backing up the values that you have changed in the table-map.xml and the v20*.xml.

MichailPiskoun · ‎2016-10-11

Thanks Sean, the guide worked fairly well for my purposes. Just wondering, why is this not just in the parser by default? I would imagine being able to see my users not having a password expire is pretty important to security. I don't mind adding this back to the parser if there's an update, but genuinely curious.

NetWitness Community

Password never expire - alerting