This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

rn, cid tags and there importance

TiagoCardoso
Beginner
Beginner

‎2018-04-30 05:45 AM

Hello,

 

I have a questions about the logs:

 

What is the meaning of  the tag's "rn" and "cid" and its importance for first-line analysis?

%NICWIN-4-Security_4673_Microsoft-Windows-Security-Auditing: Security,rn=554470018 cid=704 eid=696,Sun Apr 29 11:26:07 2018,4673,Microsoft-Windows-Security-Auditing,,Audit Failure,host.domain.com,Sensitive Privilege Use,,A privileged service was called. Subject: Security ID: S-1-5-20 Account Name: host Account Domain: domain Logon ID: 0x3E4 Service: Server: NT Local Security Authority / Authentication Service Service Name: LsaRegisterLogonProcess() Process: Process ID: 0x2b8 Process Name: C:\Windows\System32\lsass.exe Service Request Information: Privileges: X
0 Likes
3 REPLIES 3

JohnKisner
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-04-30 11:27 AM

I believe the cid is the Log Collector ID number. It should match up with the internal Netwitness ID number that represents the log collector that the log came in on. It is unlikely that you have 704 Netwitness devices in your environment however every time a device is removed and added back the ID numbers increment. My guess as to rn probably means the Remote session ID Number. This may represent the internal ID number of the log when it was collected by the Log Collector. 

 

These are guesses based off my experience with Netwitness. If anyone else has a more definitive answer, please provide it.

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-04-30 12:25 PM

The "rn=” value corresponds to the EventRecordID, the "cid=” value corresponds to the ThreadID, and the "eid=” value corresponds to the Execution ProcessID:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673

 

The eid value (Execution ProcessID) is the pid of the process that ran the task,  This is a decimal representation of the same information from the "Process ID: 0x2b8” (hexdecimal) section of your logs, so from an anlysts's perspective knowing the PID is valuable info, plus if there's ever a mismatch between these 2 numbers, that could be interesting.

 

For the other two, I don't know how an analyst might find them useful in an investigation.

 


Mr. Mongo

LeonardC
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-05-02 09:45 AM

The "rn=" may not be interesting to an analyst during investigation but from a log collection validation standpoint it can be used to determine if you are getting all the logs from the Windows system that you are collecting from or if you are collecting Windows logs in two different locations.  For example, if you are collecting from a single server from two different log collection systems, you can use the "rn=" to reconcile the events between the two systems to make sure there are no missing events in the collections.

© 2022 RSA Security LLC or its affiliates. All rights reserved.