NetWitness Community

VladimirPrevin · ‎2017-11-01

2 weeks ago winevent_nic parser was released with a fault for parsing command line as per device parser content releases need more transparency

I was hoping the content team have at least some of their 'things' together but alas:

1) on 1st Nov the content team has released (incl via live) v210 winevent_nic envision parser with the same fault (not parsing command line )

2) from Oct 16th to now - the faulty 209 parser has not been pulled from Live.

this was reported to RSA as a case and escalated 17-18th

anyone subscribing to the parser directly - note cmdline parsing isn't working correctly. e.g. powershell/cscript for win7.

needless to say we're delighted to see a complete lack of mmm....RSA having their things together with regards to the content release process vs logged defects for the parsers and testing .

VladimirPrevin · ‎2017-11-02

had a chat to support who had a look at the parser change on 1st Nov:

Basically a breaking change without customer comms (unless table-map custom should get updated with envision winevent_nic update automatically)

Content team decided to do a breaking change and remap event id 4688 (process creation) commandline via table-map to a new envision name (from info envision name to fld_cmdline), while keeping the target NwName the same :

old:

new:

essentially if your table-map doesn't have this you no longer get cmdline despite the same.

without any pre-comms.

this still doesn't address the faulty parser from 2 weeks ago staying on live. before this breaking change

NetWitness Community

winevent_nic 209,210 continued releases with faults for 2 weeks.