The content you are looking for has been archived. View related content below.
device.host | = | "############" |
medium | = | 32 |
device.type | = | "winevent_nic" |
device.class | = | "Windows Hosts" |
header.id | = | "0004" |
event.desc | = | "A member was added to a security-enabled global group." |
user.dst | = | "SOC1" |
domain | = | "######" |
user.src | = | "SOC2" |
group | = | "###############" |
ec.theme | = | "UserGroup" |
ec.subject | = | "Group" |
ec.activity | = | "Modify" |
ec.outcome | = | "Success" |
event.time | = | 2019-11-28 17:16:56.000 |
reference.id | = | "4728" |
We have been following the Unified Data Model Standard in all our parsers, where:
user.dst stands for Primary user (user performing the action).
user.src stands for Secondary user (user on whom the action is being performed).
Now just to give you an idea on how these keys were defined in UDM:
While moving from envision to NetWitness, we had a table-map that mapped envision keys to NetWitness keys:
<mapping envisionName="c_username" nwName="user.src" flags="None" format="Text"/>
<mapping envisionName="username" nwName="user.dst" flags="None" format="Text"/>
Username key was always the primary username in parsers, and hence user.dst was defined as primary user in UDM.
Whereas c_username key always was the client username in parsers and hence user.src was defined as secondary user in UDM.
So selection of meta is done based on UDM standard.
Reference for UDM Concepts on RSA NetWitness: https://community.rsa.com/docs/DOC-86375