Global Audit Logging Operation Reference

This topic lists message types being logged by the various NetWitness components. Most messages plainly state the operation being logged; when necessary the meaning of the message is explained.

After you create a global audit logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected audit logging template. The message types being logged by the various NetWitness components are shown in the following tables.

CARLOS

The following table lists the operations logged by CARLOS.

Serial # Operation Name Meaning
1 SetProviderConfiguration A new notification server (for example, SMTP server) was added or updated
2 SetInstanceConfiguration A new notification type (for example, email
destination) was added or updated
3 SetTemplateDefinition A new template was added or updated
4 RemoveProviderConfiguration A notification server was removed
5 RemoveInstanceConfiguration A notification type was removed
6 RemoveTemplateDefinition A template definition was removed
7 Commit A configuration bean change was committed
8 Set A JMX property value was set via NetWitness Explore view

ESA

The following table lists the operations logged by the Event Stream Analysis (ESA).

Serial # Operation Name Meaning
9 SetSourceRequest A concentrator was added or updated to ESA as source
10 RemoveSourceRequest A concentrator was removed from ESA as source
11 SetEplModule An EPL module was deployed or updated to ESA
12 RemoveEplModule An EPL module was removed from ESA
13 SetEnrichmentSourceRequest An ESA enrichment source was added/updated
14 RemoveEnrichmentSourceRequest An ESA enrichment source was removed
15 SetDatabaseReference An enrichment database reference was made to ESA
16 UpdateEnrichmentData Data rows added to an ESA enrichment source
17 SetEnrichmentConnection A connection was made between an EPL module and an enrichment source
18 RemoveEnrichmentConnection A connection between an EPL module and an enrichment source was removed
19 DisableTrialModule ESA Trial rules were disabled

Investigation

The following table lists the operations logged by Investigations.

Serial # Operation Name Meaning
1 VisualizePreferences Operations related to Informer Visualization Request.
2 ParallelCoordinates Operations related to Loading of Co-Ordinate View Navigation.
3 TimeLine Operations related to Loading of Timeline View Navigation.
4 ExteralQuery Operation when a Direct Query is fired via URL.
5 PrintView Operations to open Investigation in Print View.
6 submitExtractFiles Operation to submit a Request to Extract files from Sessions.
7 submitExtractLogs Operation to submit a Request to Extract Logs from Sessions.
8 submitExtractPcap Operation to submit a Request to Extract Sessions from Sessions.
9 DataScienceDrill Operation to investigate from Data Science Report.
10 breadCrumbs Operation to access the Query Breadcumbs.
11 Create Operation when a new Investigation Query is being saved as a predicate to be used for URL Integration.
12 userPredicates Operation to access Recent Queries of a user.
13 chartDefaultMetas Operation to access last used Meta for generating Coordinate Chart.
14 defaultDevice Operation to access the Default Investigation Device.
15 deleteDefaultDevice Operation to delete the Default Investigation Device.
16 chartPreferences Operation to edit an Investigation Navigation Chart Parameters such as Height.
17 devicePreferences Operation to save the preferences about the Investigation Device such asTime Range, Profile, Meta Groups etc.
18 topValues Operation to get the Top Values for Metas. Normally called from Top Values Dashlet.
19 MetaLanguages Operation to read the Meta Languages from a Device.
20 MetaGroups Operations related to Investigation Meta Groups.
21 DefaultMetaKeys Operations related to Investigation Default Meta Keys.
22 UpdateDefaultMetaKeys Operations to update Investigation Default Meta Keys.
23 UpdateMetaGroup Operations to update Investigation Meta Groups.
24 ApplyMetaGroup Operations to use Investigation Meta Groups.
25 DeactivateMetaGroup Operations to reset Investigation Meta Groups in UI.
26 DeleteMetaGroup Operations to remove Investigation Meta Group.
27 DeleteMetaGroups Operations to remove multiple Investigation Meta Groups.
28 ImportMetaGroups Operations to import Investigation Meta Groups.
29 ExportMetaGroup Operations to export multiple Investigation Meta Groups.
30 GeoMap Operation to access the Geo Map View of Investigation.
31 deleteEndpointCache Operation to clear Reconstruction Cache of a Device.
32 delete Operation to delete Alert Templates.
33 CustomColumnGroup Operation to apply or read Custom Column Group.
34 Import Operations related to Import of Column Group or Profiles.
35 Export Operations related to Export of Column Group or Profiles.
36 SaveProfile Operation to save an Investigation Profile.
37 ApplyProfile Operation to apply an Investigation Profile.
38 DeactivateProfile Operation to deactivate an Investigation Profile.
39 DeleteProfile Operation to delete an Investigation Profile.
40 DeleteProfiles Operation to delete multiple Investigation Profiles.

Reporting Engine

The following table lists the operations logged by the Reporting Engine.

Serial # Operation Name Meaning
1 TEMPLATE For all operations related to template
2 CHART For all operations related to chart
3 REPORT For all operations related to report
4 RULE For all operations related to rule
5 IMAGE For all operations related to Logo Images used in Reports.
6 LIST For all operations related to list
7 ALERT For all operations related to alert
8 CONFIG For all operations related to configuration change
9 SCHEDULE For all operations related to schedule
10 ROLE For all operations related to role/authorization
11 BATCH_JOB For all operations related to batch jobs
12 SCHEDULER For all operations related to scheduler
13 QUERYPROCESSOR For all operations related to queryprocessor
14 FORMATTER For all operations related to formatter
15 OUTPUTACTION For all operations related to outputaction
16 STATUSMANAGER For all operations related to statusmanager
17 BATCH_RUNDEF For all operations related to batch rundef
18 CHARTGROUP For all operations related to chart group
19 REPORTGROUP For all operations related to report group
20 RULEGROUP For all operations related to rule group
21 LISTGROUP For all operations related to list group
22 DISKSPACE For all operations related to disk space

Warehouse Connector

The following table lists the operations logged by the Warehouse Connector.

Serial # Operation Name Meaning
1 LockBox Password Create Operation to create LockBox Password.
2 LockBox Password Update Operation to update LockBox Password.
3 LockBox Password Refresh Operation to refresh LockBox Password.
4 Adding Stream Operation to add a Stream.
5 Adding Source Operation to add a Source.
6 Adding Destination Operation to add a Destination.
7 Removing Operation to remove a Source, Stream, or Destination.
8 Changing Password Operation to change the Password.
9 Updating Source Operation to update a Source.
10 Adding Source to Stream Operation to add a Source to a Stream.
11 Deleting Source from Stream Operation to delete a Source from a Stream.
12 Setting Destination to Stream Operation to set a Destination to a Stream.
13 Finalizing Stream Operation to finalize a Stream and initiate the aggregation.
14 Stopping Stream Operation to stop a Stream.
15 Starting Stream Operation to start a Stream.
16 Reloading Stream Operation to reload a Stream.

Health & Wellness

The following table lists the operations logged by Health & Wellness.

Serial # Operation Name Meaning
1 SavePolicyRequest Operation while adding or modifying a Policy.
2 RemovePolicyRequest Operation while removing a Policy.

NetWitness Core Services

The following table lists the operations logged by NetWitness Core Services.

Serial # Operation Name Meaning
1 FILE-Command Operation to list, retrieve and delete files from approved directories on this device.
2 SERVICE-Start Service started
3 SERVICE-Stop Service stopped
4 REDIRECT-Syslog Operation for syslog forwarding.
5 ADD-Monitor Issuing a filesystem monitor operation
6 DELETE-Monitor Issuing a filesystem monitor deletion operation
7 SHUTDOWN-Service/shutdown.service Shutting down appliance service
8 REBOOT-Service Restarting appliance service
9 CONFIGURE-Network Issuing Network Configuration change
10 SET-NTP Issuing NTP set operation
11 STOP-NTP Issuing NTP stop operation
12 NTP-Timesync Issuing NTP time sync operation
13 SET-SNMP Issuing SNMP set
14 UPGRADE/upgrade Issuing upgrade operation
15 create.collection Operation to create an empty collection.
16 restore Issuing restore
17 session.aggregation Issuing aggregation start/stop
18 add.device Adding a device for aggregation
19 edit.device Editing a device used for aggregation
20 delete.device Deleting a device used for aggregation
21 capture.start Starting capture operation
22 capture.stop Stopping capture operation
23 select.interface Selecting capture interface
24 export Operation to export packets or sessions.
25 reload Issuing a parser reload
26 schema Issuing a schema request for loaded parsers
27 upload/file.upload Issuing file upload
28 notify Issuing feed notify
29 delete Issuing file deletion
30 edit.config Configuration change operation
31 parsers.transforms Perform a language key transformation
32 data.reset Data reset operation
33 timeout REST request timeout
34 cancel Cancel a running query
35 timeroll Operation to delete the database files that exceed a given limit.
36 dump Operation to dump information out of the database in nwd formatted files.
37 session.wipe Issuing a session wipe operation
38 REPLACE-Rule Issuing a rule replace operation
39 MERGE-Rule Issuing a rule merge operation
40 ERASE-Rule Issuing deletion of a set of all rules
41 ADD-Rule Issuing a rule addition operation
42 DELETE-Rule Issuing deletion of a set of rules
43 sdk.info Issuing SDK summary info.
44 sdk.session Issuing SDK session info.
45 sdk.language Issuing SDK language
46 sdk.aliases Issuing SDK alias request
47 sdk.transform Issuing SDK transformation request
48 sdk.search Issuing session content search request
49 sdk.cache Operation related to session content cache
50 sdk.content Issuing session content request
51 check.authorization Operation to check user roles for permissions to execute an operation.
52 close.connection Issuing a connection close operation
53 handshake Issuing an SSL handshake
54 logon/login Operation to login from NW to the other services, mostly to privileged users.
55 STOREDPROCOP Issuing file upload cancel/start
56 ADD-Task Added scheduled task
57 DELETE-Task Deleted scheduled task
58 logoff Issuing logout operation
59 list.cacerts Issuing list trusted CA certificate operation
60 delete.cacerts Issuing delete trusted CA certificate operation
61 add.cacerts Issuing addition of trusted CA certificate operation
62 restart.command Issuing restart command line option
63 delete.file/file.delete Operation to delete system configuration files.
64 update.file/file.update Operation to update system configuration file.
65 create.file Issuing file creation operation
66 query Issue a database query
67 unlock Issuing unlock user account operation
68 user.add Operation to create user accounts on individual devices.
69 user.delete Operation to delete a user on individual devices.
70 group.create Operation to add a new group to the system.
71 user.remove Remove a user account from a group
72 group.delete Delete a group from the /users/groups tree
73 add.user Issuing add user command to collection
74 delete.user Issuing delete user command to collection
75 remove.user Removing an user from collection
76 collection.open Issuing an open command for a collection
77 collection.close Issuing a close command for a collection
78 collection.delete Issuing collection deletion command
79 reingest.start Operation to start reingesting of packet data in collection.
80 feed.notify Issuing a feed notify command
81 collect Issuing a collect command
82 collect.start Issuing a data collection start
83 collection.global Issuing import parser command
84 parser.reload Issuing parser reload command
85 reingest Operation to reingest packet data in collection.
86 collection.create Issuing a create collection command
87 collection.restore Issuing a restore collection command
88 collection.clone Issuing a clone collection command
89 parser.reload Issuing parser reload command
90 sdk.query Performs a query against the meta database
91 sdk.msearch Search for pattern matches in many sessions or packets
92 sdk.values Performs a value count query and returns the matching values for a report
93 sdk.timeline Returns the count of sessions/size/packets in discrete time intervals

Malware Analysis

The following table lists the operations logged by the Malware Analysis (MA) component.

Serial # Operation Name Meaning
1 GetDashBoardSummaryRequest Get dashboard analysis statistics
2 GetFileScoreSummaryRequest Get aggregated file scores by score type and risk level
3 CountEventsAndFilesRequest Get count of events and files over a time frame
4 GetAvVendorDetectionRequest Get AV vendor analysis results
5 GetAVVendorsRequest Get list of AV Vendors supported
6 SetInstalledAVVendors Request Update list of installed AV Vendors in config
7 CountEventByCriteriaRequest Count events by criteria
8 FindEventByIdRequest Get event by id

9

FindEventByCriteriaRequest

Get event by criteria

10 DeleteEventRequest Delete event

11

CommentOnEventRequest

Add comment to event

12 ReSubmitEventRequest Resubmit event for analysis

13

FindEventScoreByIdRequest

Get event score by event id

14 FindEventScoreByCriteriaRequest Get event score by criteria

15

FindMetaByIdRequest

Get meta by id

16 FindMetaByCriteriaRequest Get meta by criteria

17

FindMetaValueByCriteriaRequest

Get meta value by criteria

18 CountByDistinctMetaValueRequest Count distinct meta values

19

CountByMetaNameAndValueWithDate ​RangeIntervalRequest

Count meta and values with interval for charting

20 CountByValueAndAverageOverallScore ​Request Count meta and map to overall scores for events

21

CountByValueAndAverageGroupScore ​Request

Count meta and map to group scores for events

22 CountFileEntryByCriteriaRequest Count files by criteria

23

FindFileEntryByIdRequest

Get file by id

24 FindFileEntryByCriteriaRequest Get file by criteria

25

ReSubmitFileEntryRequest

Resubmit file for analysis

26 FileDownloadRequest Download file from repository

27

FileUploadRequest

Upload file for analysis

28 FindFileScoreByIdRequest Get file score by id

29

FindFileScoreByCriteriaRequest

Get file score by criteria

30 FindHashValueByIdRequest Get whitelist/blacklist Hash value by id

31

FindHashValueByCriteriaRequest

Get whitelist/blacklist Hash value by criteria

32 AddHashValueRequest Add whitelist/blacklist Hash value

33

UpdateHashValueRequest

Update whitelist/blacklist Hash value

34 DeleteHashValueRequest Delete whitelist/blacklist Hash value

35

FindHashValueByMd5Request

Find whitelist/blacklist Hash value by md5

36 AddHashValueInFileRequest Add File to repository as well as hash value

37

GetDefaultRulesRequest

Get default IOC Rules configuration

38 ResetToDefaultRulesRequest Reset IOC Rules configuration to default

39

GetAllOverrideRulesRequest

Get IOC Rules user created override configuration

40 FindOverrideRuleByIdRequest Find IOC override rule by id

41

AddOverrideRuleRequest

Add IOC override rule

42 UpdateOverrideRuleRequest Update IOC override rule

43

DeleteOverrideRuleRequest

Delete IOC override rule

44 SubmitOnDemandNextGenRequest Submit new ondemand nextgen scan

45

FindOnDemandJobEntryByIdRequest

Get ondemand job entity by id

46 FindOnDemandJobEntryByCriteria ​Request Get ondemand job entity by criteria

47

GetOnDemandJobInfoRequest

Get ondemand job reference entity by id

48 GetOnDemandDefaultConfiguration Request Get ondemand default configuration

49

CancelOnDemandJobRequest

Cancel ondemand job in progress

50 DeleteOnDemandJobRequest Delete ondemand job

51

ReSubmitOnDemandJobRequest

Resubmit ondemand job

52 SubscriptionRequest Subscribe to MA Cloud communication

53

UnSubscribeRequest

Unsubscribe from MA Cloud communication

54 GetTopEventInfluencesRequest Get Top N event influences

55

GetServerInfoRequest

Get server info, such as server time

56 DataResetRequest Reset database

57

OnDemandJobStatusNotification

Report ondemandjob progress to subscribers

58 LicenseStatusNotification Report license status - num samples analyzed

59

DataResetNotification

Report that data was reset

60 GetIocSummaryRequest Get IOC rules aggregated by event/file scores

61

FindAlertTemplatesByCriteriaRequest

Get rabbitmq alert templates by criteria

62 SaveAlertTemplateRequest Update alert template

63

DeleteAlertTemplateRequest

Delete alert template

64 GetJobStatusRequest Get in progress job analysis thread status

65

GetEventTypeCountSummaryRequest

Get event analysis counts by date chart

66 Logon Logon to the MA Service

67

Modified

Modifying config changes

68 GetNextGenSummaryRequest Get nextgen dashboard summary statistics

NetWitness User Interface

The following table lists the operations logged by the NetWitness User Interface component.

Serial # Operation Name Meaning
1 uploadTrialLicense Upload Trial License
2 LicenseEntitle Entitle License
3 LicenseDeactivation Deactivate License
4 ExpiredLicense License Expired
5 LicenseOutOfComplianceAcknowledgement EULA Acknowledgement
6 resetLicense Reset License
7 usageDateExport License data usage - csv/pdf
8 refreshLicense Refresh LLS license
9 LicenseOutOfCompliance Out of Compliance
10 OOTBEntitlementOutOfCompliance OOTB Trial license Out of Compliance
11 OOTBEntitlementFirstLoginTimeModified OOTB time modified
12 OOTBEntitlementFileDeleted OOTB File deleted
13 OOTBEntitlementDataTampering OOTB data tampering
14 uploadOfflineResponse Upload offline response
15 offlineDownloadCapRequest Download offline request
16 movePerpetualToThroughput Move Appliance license to Throughput
17 moveThroughputToPerpetual Mover Throughput to Appliance license
18 mapApplianceLicense Map Service to Real license
19 delete Operation to delete Alert Templates.
20 HttpRequest Operation for Audit Logging of the accessed URL.
21 Page Accessed Operation for Audit Logging of the accessed page.
22 Navigate Operation to navigate to the accessed page.
23 Events Operation to view the accessed event page.
24 Recon Operation for Event Reconstruction requested.
25 Services Operation while reading the list of available devices for investigation.
26 Service Operation for a List of devices requested to be investigated.
27 Collections Operation to view the list of collections requested.
28 Profiles Operation to apply a Profile.
29 ColumnGroups Operation to apply or read Column Group.
30 ParallelCoordinates Operations related to Loading of co-ordinate view navigation.
31 Timeline Operations related to loading of timeline view navigation.
32 PrintView Operations to open investigation in print view.
33 Preferences Operations related to Informer Request.
34 import Operations related to Import of Column Group or Profiles.
35 export Operations related to Export of Column Group or Profiles.
36 Predicate Operations related to Queries (Predicates) used for Investigation.
37 Languages Operation for Language requested from a Device.
38 CancelLanguageLoad Operation for Language Load Canceled from Navigate Page.
39 summary Operation for a summary requested from a Device.
40 languages Operation for a language requested from a device.
41 aliases Operation for meta aliases requested from a device.
42 query Operation for SDK Query requested from a device.
43 msearch Operation for a meta search requested from a device.
44 nodeListing Node Listing for a node requested from a Device.
45 content SDK Content call requested from a Device for downloading a PCAP or Log.
46 Export Files File Listing Requested for a Session in File View or Extraction jobs.
47 packets Packets requested for sessions in Packet View or Extraction Jobs.
48 deleteEndpointCache Operation to clear reconstruction cache of a device.
49 Logon Operation for user to sign in to NetWitness User Interface.
50 Logoff Operation for user to sign out of NetWitness User Interface.
51 defaultDevice Operation to access the Default SA UI Device.
52 deleteDefaultDevice Operation to delete the Default investigation device.
53 submitExtractFiles Operation to submit a request to Extract files from Sessions.
54 submitExtractLogs Operation to submit a Request to Extract Logs from Sessions.
55 submitExtractPcap Operation to submit a Request to Extract Sessions from Sessions.
56 MetaGroup Operations related to SA UI Meta Groups.
57 ExternalQuery Operation when a Direct Query is fired via URL.
58 GeoMap Operation to access the Geo Map View of Investigation.
59 SaveProfile Operation to save an Investigation Profile.
60 ApplyProfile Operation to apply an Investigation Profile.
61 DeleteProfile Operation to apply an Investigation Profile.
62 DeactivateProfile Operation to apply an Investigation Profile.
63 VisualizePreferences Operations related to Informer Visualization Request.
64 ExportMetaGroup Operations to export multiple SA UI Meta Groups.
65 userPredicates Operations to export multiple SA UI Meta Groups.
66 FileView Operation for reconstruction request for File View.
67 resource.update Operation when Live Subscription State changes.

Respond

The following table lists the operations logged by the Respond component.

Serial # Operation Name Meaning
1 update Update notification setting
2 update Update integration settings configuration
3

delete

Delete Alerts
4 create Create new incident
5 update Update incident details
6 read Read incident details
7 delete Delete incidents
8 read Read remediation tasks
9 delete Delete Remediation tasks
10 update Update remediation tasks
11 create Create new rule
12 update Update existing alert rule
13 reorder Reorder priority of alert rules

Investigate Server

Serial # Operation name Meaning

1

Aliases

Fetch aliases

2

BackgroundJob Category for all background job
3 ColumnGroup Category for all column group operation

4

Count-query Default Investigate
5 Countdistict-query Default Investigate
6 Content Default Session Content
7 Create User entity
8 Create User preferences

9

Create

Predicate

10 Delete User preferences
11 Delete Predicate
12 Extract-content Extract Content from Session
13 Folders Category for all folder operation
14 Files SDK content request
15 InvestigateExport Category for extraction invocation
16 Key-refs Fetch meta keys
17 Languages SDK language call
18 MetaGroup Category for all meta group operation
19 Metakey Category for all metakey operation
20 MailReconstruction Category for all mail reconstruction operation
21 ParsingRequest Category for all request parsing operation
22 PacketReconstruction Category for all packet reconstruction operation
23 Predicate InvestigateIncidents Category for all predicate operation
24 Query SDK query
25 Reconstruction Category for common shared reconstruction operation
26 ReconstructionCache Category for reconstruction caching operation
27 ReconstructionStreaming Category for reconstruction streaming operation
28 ReconstructDataSecurity Category for reconstruction security operations (data-scrubbing)

29

Session-Meta

SDK query to get session meta

30

Summary

SDK summary

31 Search-meta-value Search meta-value based on field name
32 TextReconstruction Category for all text reconstruction operation

33

Timeline

Timeline request

34 UserPreferences Category for all user preferences operation
35 Update User entity
36 Update User preferences
37 Update Profile group

38

Update

Predicate

39 Values SDK values
40 Validate-query Validate SDK query

Security Server

The following table lists the events logged by the Security Server.

Log Category Description

Create:

Add record for a role with new ID.

Create:

Add user record with new ID.

Update:

Update the user account with a new ID.

Authentication: Logs events pertaining to user logins and logouts.
Authorization: Logs events pertaining to user access checks and RBAC management.
UserAccount Logs events pertaining to NetWitness domain account management.
ExternalProvider: Tracks events pertaining with external account providers (for example, Active Directory).

The following example shows an event logged by the Security Server:
2018-03-13 16:25:02,938 UserAccount{action=ExpirePassword, success=true, identity=admin, parameters={id=Justin}}

Admin Server

The following table lists the events logged by the Admin Server.

Log Category Description

Restore:

System operation to restore a data springboard.

Config Server

The following table lists the events logged by the Admin Server.

Log Category Description

newregistration:

Record the registration to config server that manages the collection storage.

Context Hub Server

The following table lists the events logged by the Admin Server.

Log Category Description

verifyconnection:

System operation to check if the connection is live.

addconnection Create new connection to access data.