This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

User activity based on logs ad, dhcp, firewall

Go to solution
Anonymous
Not applicable

‎2015-09-24 06:07 AM

Hi all,

I'm looking for a way to show user activity based on logs from Active Directory (Identity Feed), dhcp server, and firewall.

I'm not sure of meta created by Identity Feed, and how to correlate them with logs from dhcp server and firewall to report all user network activity. I suppose that I need to find ip address of workstation on which user is logged, and then correlate it with firewall logs.

 

Regards

Marcin

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MichaelGotham
Beginner
Beginner

‎2015-10-08 05:59 PM

Marcin,


Using the Identity Feed baked into SA is definitely one way to do this.  Identity leverages Windows messages (Win2K8 =4624, 4769, 4770, 4773 Win2K3= 528, 540, 673, 674) which are typically found on domain controllers in the Security channel.  However I have seen causes where these logs are incorrect based on the customer's environment.


One why we were able to work around this is by pulling user name, IP, computer and domain out of their McAfee EPO database on a schedule.  It happened to be more accurate.  Little bit of middleware may be required to get it into a csv.  From there you can set it up as a recurring feed like any other IP index based feed.  You can drop the resulting meta in any meta categories you choose.  You could probably do the same thing with other security devices.


-Mike

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
NathanOlsen
Beginner
Beginner

‎2015-09-28 06:55 PM

I've been struggling with this one for a while; it's compounded by our lack of a packet decoder.

 

You probably want to create custom alerts based on your various logs and then write a custom parser (lua) that does your correlation for you and populates your meta.keys.

 

Just my $0.02, so I can be notified if/when anyone does ever answer this.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2015-10-08 05:16 PM

Here is one way to generate and consume the identify feed using the windows logs collected by the Log Collector.

Windows collection  - https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/135_LogCollectGds/93_WinProto/10_WinProc/00_CnfgWinESRec

ID feed generation on Log Collector - Configure Identity Feed Event Destinations (Beta) - RSA Security Analytics Documentation

Pushing feed to Log Decoder - https://sadocs.emc.com/0_en-us/089_105InfCtr/31_LivRes/20_AddProc/MngCustFds/CrIdFd


Use Log Collector's your URL (http://<hostname>/<feeddatafile>.feed) while configuring the push to Log Decoder. 

http://<logcollector-ip-address>:50101/event-processors/<processor-name>?msg=getFile&force-content-type=application/octet-stream&expiry=600


Once you have the feeds set up to be pushed to Log Decoder in recurring mode you should see the following new meta for relevant logs. 

  • Active Directory Username Source - ad.username.src
  • Active Directory Workstation Source - ad.computer.src
  • Active Directory Domain Source - ad.domain.src
0 Likes

Go to solution
MichaelGotham
Beginner
Beginner

‎2015-10-08 05:59 PM

Marcin,


Using the Identity Feed baked into SA is definitely one way to do this.  Identity leverages Windows messages (Win2K8 =4624, 4769, 4770, 4773 Win2K3= 528, 540, 673, 674) which are typically found on domain controllers in the Security channel.  However I have seen causes where these logs are incorrect based on the customer's environment.


One why we were able to work around this is by pulling user name, IP, computer and domain out of their McAfee EPO database on a schedule.  It happened to be more accurate.  Little bit of middleware may be required to get it into a csv.  From there you can set it up as a recurring feed like any other IP index based feed.  You can drop the resulting meta in any meta categories you choose.  You could probably do the same thing with other security devices.


-Mike

0 Likes

Go to solution
NathanOlsen
Beginner
Beginner
In response to RSAAdmin

‎2015-12-07 06:31 PM

I'd like to know a bit more about this:

 

I can't seem to get this working (which may be related to being in a "shared-services" set up, but let's not get ahead of ourselves).

 

Use Log Collector's your URL (http://<hostname>/<feeddatafile>.feed) while configuring the push to Log Decoder. 

http://<logcollector-ip-address>:50101/event-processors/<processor-name>?msg=getFile&force-content-type=application/octet-stream&expiry=600

I can't figure out which specific file I should be putting in which input field. The file can't seem to be found, no matter what I do. Do I need to configure a local "service account" on the appliance to use authentication, or is this my logon for SA?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.