NetWitness Community

RenatoGoncalves · ‎2018-09-20

Hello everyone,

I recently noted that we are obtaining an error in the log decoder configurations.

Two of the rules that are configured ara highlighted. The rules are

nw30060 and account:logon-success-direct-access.

They have the following syntax:

nw30060: reference.id='528','540','4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')

account:logon-success-direct-access ((ec.activity='Logon' && ec.outcome='Success') || (event.cat.name='User.Activity.Successful Logins')) && logon.type='2','10'

I tried to test them in the reports view but i also noticed that the meta have disappeared and is now retrieving the following information:

Schema fetched from data source is null for data source xxxxx. I tried do use all the date sources that we have and it stays the same

Regards

RenatoGoncalves · ‎2018-09-27

Hello John,

You where right...thats a documentation problem that gives the information of 11.1 version when it should have 11.2.

Today with a call with support regarding other situation, i refer the situatio due to a extremely fast deployment of UEBA and they told me that was only for 11.2 and the documentation problem .

JohnKisner · ‎2018-09-27

Thank you Renato. The person you were working with did they say if a documentation ticket had been opened against it? If not can you tell me who you were working with and I can talk with them directly.

RenatoGoncalves · ‎2018-09-27

Sorry John,

I don't remember if he said anything about the ticket...:(

We where working with EMEA engineers

NetWitness Community

RSA Log Decoder rule error