000038211 - Winrm user.src and user.dst Meta Keys defined in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Dec 30, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038211
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.6.x, 11.x
Platform: CentOS7
Issue
  • user.dst shows the source username in meta information instead of showing destination username and it is the the opposite way situation with user.src
%NICWIN-4-Security_4728_Microsoft-Windows-Security-Auditing: Security,rn=1108022062 cid=14096 eid=844,Thu Nov 28 17:16:56 2019,4728,Microsoft-Windows-Security-Auditing,,Audit Success,#############,Security Group Management,,A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-552095179-313217538-1236795852-43765 Account Name: SOC1 Account Domain: ####### Logon ID: 0x1AD4ED671 Member: Security ID: S-1-5-21-552095179-313217538-1236795852-8410 Account Name: CN=SOC2,OU=######,OU=####,DC=###,DC=co,DC=--- Group: Security ID: S-1-5-21-552095179-313217538-1236795852-47074 Group Name: ############# Group Domain: ---------- Additional Information: Privileges:

Brief Information:
  • Yellow colored account name in raw log is the source username.
  • Green colored account name in raw log is the destination username (who has been added to the group or over which action has been performed)


Meta key and key values about the same raw log mentioned above:
 
device.host    =    "############"
medium    =    32
device.type    =    "winevent_nic"
device.class    =    "Windows Hosts"
header.id    =    "0004"
event.desc    =    "A member was added to a security-enabled global group."
user.dst    =    "SOC1"
domain    =    "######"
user.src    =    "SOC2"
group    =    "###############"
ec.theme    =    "UserGroup"
ec.subject    =    "Group"
ec.activity    =    "Modify"
ec.outcome    =    "Success"
event.time    =    2019-11-28 17:16:56.000
reference.id    =    "4728"
Resolution

We have been following the Unified Data Model Standard in all our parsers, where:
user.dst stands for Primary user (user performing the action).
user.src stands for Secondary user (user on whom the action is being performed).

Now just to give you an idea on how these keys were defined in UDM:
While moving from envision to NetWitness, we had a table-map that mapped envision keys to NetWitness keys:
  <mapping envisionName="c_username" nwName="user.src" flags="None" format="Text"/>
  <mapping envisionName="username" nwName="user.dst" flags="None" format="Text"/>

Username key was always the primary username in parsers, and hence user.dst was defined as primary user in UDM.
Whereas c_username key always was the client username in parsers and hence user.src was defined as secondary user in UDM.

So selection of meta is done based on UDM standard.
Reference for UDM Concepts on RSA NetWitness:  https://community.rsa.com/docs/DOC-86375

Attachments

    Outcomes