Chaitra Kulkarni

Collecting Microsoft Windows Logs via RSA NetWitness Endpoint Agent

Blog Post created by Chaitra Kulkarni Employee on Apr 5, 2018

In RSA NetWitness Platform 11.1.0.0 release, a new windows parser has been introduced. This parser helps parse logs that are collected from Windows event sources via the RSA NetWitness Endpoint Agent.

 

The agent acts as a threat detection solution that detects malware, highlights suspicious activity for investigation, and instantly determines the scope of compromise to help security teams stop advanced threats faster.

 

Supported Windows OS Versions:

The Endpoint Agent can be deployed on windows laptops, workstations, servers, or any system, physical or virtual. The supported operating systems are:

  • Windows 7,8,8.1,10
  • Windows Server 2008,2012,2016

 

Structure of Endpoint Agent Log:

The RSA NetWitness Endpoint agent generates syslog formatted logs. The format and structure of logs is displayed in the image below:

Log Format

Every windows log collected through the NetWitness Endpoint Agent has multiple tags with space as a delimiter. Every log has a header and payload part.

 

Header definition:

%MSWIN-Security-4672    

     

Payload definition:

Agent=NWE AgentIP=1.1.1.1 AgentComputer=Srv01 AgentTime=2018-01-16T18:08:01.5144951Z TimeCreatedSystemTime=2018-01-16T18:06:56.0309840Z EventID=4672 Provider="Microsoft Windows security auditing." Channel=Security Level=Information Task="Special Logon" OpCode=Info Version=0 Keyword="Audit Success" ProcessID=460 Computer=Srv01 RecordId=34819 SubjectUser="NT AUTHORITY\SYSTEM" SubjectUserName=SYSTEM SubjectDomainName="NT AUTHORITY" SubjectLogonId=0x3e7 PrivilegeList="SeAssignPrimaryTokenPrivilege     SeTcbPrivilege     SeSecurityPrivilege" Message="Special privileges assigned to new logon.    Subject:   Security ID:  S-1-5-18   Account Name:  SYSTEM   Account Domain:  NT AUTHORITY   Logon ID:  0x3E7    Privileges:  SeAssignPrimaryTokenPrivilege     SeTcbPrivilege    SeSecurityPrivilege"

 

Payload contains all the tags which Microsoft Windows generates on an occurrence of any event. Message tag renders complete raw information of that particular event.

 

The logs generated from supported windows machines via NetWitness Endpoint Agent are parsed against latest NetWitness Windows parser. NetWitness Windows parser supports parsing of every log identified by every Microsoft Windows channels.

 

This blog is intended to help a user understand the various meta key designed/used in latest NetWitness Windows parser .Specifically, it highlights on meta key usage of major Microsoft Windows channel types such as System, Security and Application.

 

NetWitness Meta Key usage for Microsoft Windows tags:

We have collected different varieties of tags from Microsoft Windows and the tags important from security perspective are listed below. The tags are mapped strictly to NetWitness defined Meta keys.

 

Meta data used in windows parser for Security channels are:

Microsoft Windows Security Channel Tags

NetWitness Meta Key

Agent

client

AgentIP

alias.ip

AgentComputer

alias.host

AgentTime

event.time.str

TimeCreatedSystemTime

event.time

EventID

reference.id

Provider

event.source

Channel

event.log

Level

severity

Task

category

Version

version

ProcessID

process.id

Computer

event.computer

Message

event.desc

Keyword

event.type

SubjectDomainName

domain.src

ProviderName

event.source

AlgorithmName

crypto

ReturnCode

result.code

SubjectUser

event.user

TargetUser

user

ParentProcessName

process.src

LogonType

logon.type

SubjectUserName

user.src

TargetUserName

user.dst

TargetDomainName

domain.dst

ProcessName

process

IpAddress

ip.src

IpPort

sport

PrivilegeList

privilege

Accesses

accesses

Protocol

protocol

LogonProcessName

process

ObjectName

obj.name

KeyName

obj.name

ObjectServer

obj.server

ObjectType

obj.type

Service

service.name

NewUacValue

change.new

ProductName

product

SessionId

log.session.id

CallerProcessId

process.id.src

TransactionId

reference.id2

WorkstationName

host.src

NotificationPackageName

obj.name

OldUacValue

change.old

ServiceName

service.name

Operation

action

PreviousTime

change.old

NewProcessId

process.id

CallerProcessName

process.src

TargetLogonId

log.session.id1

NewProcessName

process

UserName

user

KeyLength

index

SecurityPackageName

obj.name

ServiceFileName

filename

Workstation

host.src

ProcessId

process.id

Categories

index

ServiceAccount

service.account

KeyFilePath

directory

NewTime

change.new

TargetServerName

host.dst

AuthenticationPackageName

auth.method

ImpersonationLevel

obj.name

CommandLine

param

DisplayName

fullname

 


The Meta data used in windows parser for System channels are as below: 

Microsoft Windows System Channel Tags

NetWitness Meta Key

TimeCreatedSystemTime

event.time

EventID

reference.id

Provider

event.source

Channel

event.log

Level

severity

Version

version

ProcessID

process.id

Computer

event.computer

Message

event.desc

User

user

DeviceName

device.name

Status

result.code

ProcessPid

process.id

StopTime

endtime

Ipaddress

ip.src

ExtensibleModulePath

directory

FilePath

directory

GUID

log.session.id1

Reason

result

ErrorDescription

result

DeviceName

device.name

Group

group

Status

disposition

ErrorCode

result.code

DCName

domain

ProcessPath

directory

ErrorMessage

index

 

The Meta data used in windows parser for Application channels are as below:

Microsoft Windows Application Channel Tags

NetWitness Meta Key

TimeCreatedSystemTime

event.time

EventID

reference.id

Provider

event.source

Channel

event.log

Level

severity

Version

version

ProcessID

process.id

Computer

event.computer

Message

event.desc

User

user


Note1

Apart from the keys listed above, RSA NetWitness supports customers to collect value from log in their custom meta keys using custom parser methodology. Custom parser helps RSA NetWitness customers to define their own meta keys to collect values from logs.

 

Comparison of usage of NetWitness meta keys between winevent_nic and windows parser

 

NetWitness Windows parser provides following additional advantages while compared with winevent_nic parser.

  • No Unknowns : None of the windows logs collected using Netwitness Endpoint Agent goes unknown
  • Low parsing time :Based on our performance test, it is found that parsing time of windows parser is less compared to Winevent_nic parser. 

Below is the comparison of meta key usage for Windows Security Event Id 4672. The screenshot on left is the old parsing windows logs and the screenshot on right is new windows parsing logs via NetWitness Endpoint Agent.

 

 

  As assisted by

Outcomes