Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Chaitra Kulkarni

In RSA NetWitness Platform 11.1.0.0 release, a new windows parser has been introduced. This parser helps parse logs that are collected from Windows event sources via the RSA NetWitness Endpoint Agent.

 

The agent acts as a threat detection solution that detects malware, highlights suspicious activity for investigation, and instantly determines the scope of compromise to help security teams stop advanced threats faster.

 

Supported Windows OS Versions:

The Endpoint Agent can be deployed on windows laptops, workstations, servers, or any system, physical or virtual. The supported operating systems are:

  • Windows 7,8,8.1,10
  • Windows Server 2008,2012,2016

 

Structure of Endpoint Agent Log:

The RSA NetWitness Endpoint agent generates syslog formatted logs. The format and structure of logs is displayed in the image below:

Log Format

Every windows log collected through the NetWitness Endpoint Agent has multiple tags with space as a delimiter. Every log has a header and payload part.

 

Header definition:

%MSWIN-Security-4672    

     

Payload definition:

Agent=NWE AgentIP=1.1.1.1 AgentComputer=Srv01 AgentTime=2018-01-16T18:08:01.5144951Z TimeCreatedSystemTime=2018-01-16T18:06:56.0309840Z EventID=4672 Provider="Microsoft Windows security auditing." Channel=Security Level=Information Task="Special Logon" OpCode=Info Version=0 Keyword="Audit Success" ProcessID=460 Computer=Srv01 RecordId=34819 SubjectUser="NT AUTHORITY\SYSTEM" SubjectUserName=SYSTEM SubjectDomainName="NT AUTHORITY" SubjectLogonId=0x3e7 PrivilegeList="SeAssignPrimaryTokenPrivilege     SeTcbPrivilege     SeSecurityPrivilege" Message="Special privileges assigned to new logon.    Subject:   Security ID:  S-1-5-18   Account Name:  SYSTEM   Account Domain:  NT AUTHORITY   Logon ID:  0x3E7    Privileges:  SeAssignPrimaryTokenPrivilege     SeTcbPrivilege    SeSecurityPrivilege"

 

Payload contains all the tags which Microsoft Windows generates on an occurrence of any event. Message tag renders complete raw information of that particular event.

 

The logs generated from supported windows machines via NetWitness Endpoint Agent are parsed against latest NetWitness Windows parser. NetWitness Windows parser supports parsing of every log identified by every Microsoft Windows channels.

 

This blog is intended to help a user understand the various meta key designed/used in latest NetWitness Windows parser .Specifically, it highlights on meta key usage of major Microsoft Windows channel types such as System, Security and Application.

 

NetWitness Meta Key usage for Microsoft Windows tags:

We have collected different varieties of tags from Microsoft Windows and the tags important from security perspective are listed below. The tags are mapped strictly to NetWitness defined Meta keys.

 

Meta data used in windows parser for Security channels are:

Microsoft Windows Security Channel Tags

NetWitness Meta Key

Agent

client

AgentIP

alias.ip

AgentComputer

alias.host

AgentTime

event.time.str

TimeCreatedSystemTime

event.time

EventID

reference.id

Provider

event.source

Channel

event.log

Level

severity

Task

category

Version

version

ProcessID

process.id

Computer

event.computer

Message

event.desc

Keyword

event.type

SubjectDomainName

domain.src

ProviderName

event.source

AlgorithmName

crypto

ReturnCode

result.code

SubjectUser

event.user

TargetUser

user

ParentProcessName

process.src

LogonType

logon.type

SubjectUserName

user.src

TargetUserName

user.dst

TargetDomainName

domain.dst

ProcessName

process

IpAddress

ip.src

IpPort

sport

PrivilegeList

privilege

Accesses

accesses

Protocol

protocol

LogonProcessName

process

ObjectName

obj.name

KeyName

obj.name

ObjectServer

obj.server

ObjectType

obj.type

Service

service.name

NewUacValue

change.new

ProductName

product

SessionId

log.session.id

CallerProcessId

process.id.src

TransactionId

reference.id2

WorkstationName

host.src

NotificationPackageName

obj.name

OldUacValue

change.old

ServiceName

service.name

Operation

action

PreviousTime

change.old

NewProcessId

process.id

CallerProcessName

process.src

TargetLogonId

log.session.id1

NewProcessName

process

UserName

user

KeyLength

index

SecurityPackageName

obj.name

ServiceFileName

filename

Workstation

host.src

ProcessId

process.id

Categories

index

ServiceAccount

service.account

KeyFilePath

directory

NewTime

change.new

TargetServerName

host.dst

AuthenticationPackageName

auth.method

ImpersonationLevel

obj.name

CommandLine

param

DisplayName

fullname

 


The Meta data used in windows parser for System channels are as below: 

Microsoft Windows System Channel Tags

NetWitness Meta Key

TimeCreatedSystemTime

event.time

EventID

reference.id

Provider

event.source

Channel

event.log

Level

severity

Version

version

ProcessID

process.id

Computer

event.computer

Message

event.desc

User

user

DeviceName

device.name

Status

result.code

ProcessPid

process.id

StopTime

endtime

Ipaddress

ip.src

ExtensibleModulePath

directory

FilePath

directory

GUID

log.session.id1

Reason

result

ErrorDescription

result

DeviceName

device.name

Group

group

Status

disposition

ErrorCode

result.code

DCName

domain

ProcessPath

directory

ErrorMessage

index

 

The Meta data used in windows parser for Application channels are as below:

Microsoft Windows Application Channel Tags

NetWitness Meta Key

TimeCreatedSystemTime

event.time

EventID

reference.id

Provider

event.source

Channel

event.log

Level

severity

Version

version

ProcessID

process.id

Computer

event.computer

Message

event.desc

User

user


Note1

Apart from the keys listed above, RSA NetWitness supports customers to collect value from log in their custom meta keys using custom parser methodology. Custom parser helps RSA NetWitness customers to define their own meta keys to collect values from logs.

 

Comparison of usage of NetWitness meta keys between winevent_nic and windows parser

 

NetWitness Windows parser provides following additional advantages while compared with winevent_nic parser.

  • No Unknowns : None of the windows logs collected using Netwitness Endpoint Agent goes unknown
  • Low parsing time :Based on our performance test, it is found that parsing time of windows parser is less compared to Winevent_nic parser. 

Below is the comparison of meta key usage for Windows Security Event Id 4672. The screenshot on left is the old parsing windows logs and the screenshot on right is new windows parsing logs via NetWitness Endpoint Agent.

 

 

  As assisted by

The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event source has a respective log parser for parsing the content of each log.  The Meta Dictionary tool describes the metadata used in each of the parsersd.

 

This blog post is intended to help a user understand how to use the tool so they can see the various metadata used in a parser, description of each of the metadata keys and the number of times each metadata keys appear in a parser.

 

Deployments

 You need to download the following attachments from the blog post:

  • data.meta file
  • metadictionary.html file

 

Supported Browsers

  • Google Chrome version 44 or later
  • Firefox version 36 or later
  • Internet Explorer 10 or later
  • Safari version 7 or later

  

Viewing Meta Data Definitions

  Once you open metadictionary.html file in a browser you will see something similar to the screenshot below.

The screen contains the following sections:

  • Left Navigation pane: contains a list of all the parsers.
  • Details pane: contains the meta details for the selected parser.

 

This tool offers the flexibility to search for meta keys, data type, etc. as shown in the image below.

In the above screen, we have searched for ipv4, and three occurrences were found; note that the search is case insensitive.

 

Screen Reference

 

Screen

Item

 

 

Description

 

 

 

 

 

 

 

 

Parser Name/Version

 

 

Left Navigation Pane, and Details Panedisplays Parser Name and Version

 

 

 

Search

 

 

 

A free text search box that you can use to filter results

 

 

 

 

 

 

 

Show/Hide Columns

 

 

Drop down menu from each Column Header allows you to display or hide column

 

 

 

Column Reference

The following table describes each of the available columns that contain the meta data for the parsers.

 

Column Name

Description

Investigation Display Name

The value displayed in Investigation Page of RSA NetWitness  UI for each Meta

Parser Metakey(occurrences)

Meta key as used in the Parser and its count in parenthesis. For example, for the

 

aix parser, the saddr meta key occurs 151 times in the parser definition

SA Metakey

Corresponding Meta Name for the meta key in parser definition. Meta Name is used

 

in RSA NetWitness  Suite

Metakey Description

The description for the key.

TableMapDatatype

The data type of a meta key, as listed in the default table map.xml.

TableMap Indexed

Whether or not the key is indexed in the table map.

 

The following examples show the table map details for indexed

 

and non-indexed meta:

 

Indexed:

 

<mapping

 

envisionName="device.ip"nwName="device.ip"

 

 

 

 

format="IPv4"

flags="None"/>

 

 

 

Not Indexed: <mapping

 

envisionName="device.ip"nwName="device.ip"

 

 

 

format="IPv4"

flags="Transient"/>

 

 

 

Index-Concentrator

Whether or not the key is available in the default index-concentrator.xml.

 

We hope you find this tool useful and welcome any feedback or suggestions for improvement.  Please feel free to leave any constructive feedback in the comments below!

Filter Blog

By date: By tag: