This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Problems with Sysmon v8 Parsing

Go to solution
OlatundeIdowu
Beginner
Beginner

‎2018-11-06 12:08 PM

I'm trying to parse sysmon logs in Netwitness and I've updated the winevent_nic parser to the latest one on github. The problem is mostly with reference.id = '1'. The parent process is not getting parsed which really reduces the value of the logs. Any help with this will be appreciated.

 

Regards,

Olatunde

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
OlatundeIdowu
Beginner
Beginner

‎2018-11-09 09:44 AM

Apparently the parent process was being parsed but the metakey was not enabled. I had to enable the process.src meta key using the 'findmissing' script and copied the ouput to the table-map-custom.xml file on the log decoder.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)

‎2018-11-06 03:09 PM

Olatunde Idowu‌,

 

I've moved your question to the RSA NetWitness Platform" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

 

Regards,

Erica

0 Likes

Go to solution
EricPartington
Employee
Employee

‎2018-11-07 08:23 PM

can you provide a sample of those events to me via DM? I'd like to take a look and see what can be done

0 Likes

Go to solution
OlatundeIdowu
Beginner
Beginner

‎2018-11-09 09:44 AM

Apparently the parent process was being parsed but the metakey was not enabled. I had to enable the process.src meta key using the 'findmissing' script and copied the ouput to the table-map-custom.xml file on the log decoder.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.