Version 3.7.0 build 0169
I hope this helps . . . it took me a few to get to the bottom of this one.
My main objective was to audit Microsoft AD GPO addtions, modifications, and deletions. For the life of me I could not find the actual file being audited in the parsed data anywhere. I could see the raw event being captured with the data I needed via the MessageView . . . but running reports, query, and alerts would not show the file being audited in the Misc Name field (which is where it is supposed to be).
I found the following to be true . . . it took me a bit of digging to get this point.
The XML for the winevent_nic was not parsing the data properly. The data field misc_name was being used twice in the same content string . . . which means the latter use was overwriting the first. Look at message Security_560_Security:02 for example . . . Object Name: <misc_name> is the first instance and then later in the content string Image File Name: <misc_name> . . . the latter value kept showing up in Alerts, Query, and Reports.
SOLUTION: Rename the data field that was mapping to Image File Name. I created two new messages to get the content I needed . . . mapping Image File Name to a bogus_field. The two messages I used to solve my issue, Security_560_Security:04 and Security_560_Security:05, can be seen below . . . 05 accounts for a random space in the incoming MS message.
<MESSAGE
level="4"
parse="1"
parsedefvalue="1"
tableid="5"
id1="Security_560_Security:04"
id2="Security_560_Security"
eventcategory="1401010000"
summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"
content="<@utcstamp:*UTC($MSG,'%B %D %N:%U:%O %W',datetime)><@category
bject_Access> <@event_user:*RMQ(event_user)><event_log>,<linenum>,<day> <datetime>,<event_id>,<event_source>,<event_user>,<event_type>,<event_computer>,<category>,<data>,<event_description>:<space>Object Server: <obj_server>Object Type: <obj_type>Object Name: <misc_name>Handle ID: <handle_id>Operation ID: <operation_id>Process ID: <process>Image File Name: <bogus_field>Primary User Name: <username>Primary Domain: <domain>Primary Logon ID: <logon_id>Client User Name: <c_user_name>Client Domain: <c_domain>Client Logon ID: <c_logon_id>Accesses <accesses>Privileges <privileges>Restricted Sid Count: <fld4>Access Mask: <peer_id>" />
<MESSAGE
level="4"
parse="1"
parsedefvalue="1"
tableid="5"
id1="Security_560_Security:05"
id2="Security_560_Security"
eventcategory="1401010000"
summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"
content="<@utcstamp:*UTC($MSG,'%B %D %N:%U:%O %W',datetime)><@categorybject_Access> <@event_user:*RMQ(event_user)><event_log>,<linenum>,<day> <datetime>,<event_id>,<event_source>,<event_user>,<event_type>,<event_computer>,<category>,<data>,<event_description>: <space> Object Server: <obj_server> Object Type: <obj_type> Object Name: <misc_name> Handle ID: <handle_id> Operation ID: <operation_id> Process ID: <process> Image File Name: <bogus_field> Primary User Name: <username> Primary Domain: <domain> Primary Logon ID: <logon_id> Client User Name: <c_user_name> Client Domain: <c_domain> Client Logon ID: <c_logon_id> Accesses <accesses> Privileges <privileges> Restricted Sid Count: <fld4> " />
Yeah, since we're on the topic of winevent_nicmsg.xml I recall I ran across a very similar issue just the other day (yes I reported it by opening a case), this one was specific to the Security_566_Security:02 message ID. Turns out a trailing colon is missing from "accesses".
Instead of reading Accesses<accesses>
It should really read Accesses:<accesses>
Sounds very minimal, but its amazing what that extra : will do when you're trying to hard code exact filter statements against the Accesses field in correlation rules. I had to learn to put ": " in front of all of them to accommodate for the .xml.
I'm on version 3.5.2 and my current winevent_nicmsg.xml states:
<MESSAGE
level="4"
parse="1"
parsedefvalue="1"
tableid="5"
id1="Security_566_Security:02"
id2="Security_566_Security"
eventcategory="1206000000"
summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"
content="<@utcstamp:*UTC($MSG,'%B %D %N:%U:%O %W',datetime)><@categorybject_Access> <@event_user:*RMQ(event_user)><event_log>,<linenum>,<day> <datetime>,<event_id>,<event_source>,<event_user>,<event_type>,<event_computer>,<category>,<data>,<event_description>: <space> Operation Type: <type>Object Type: <obj_type>Object Name: <misc_name>Handle ID: <handle_id>Primary User Name: <username>Primary Domain: <domain>Primary Logon ID: <logon_id>Client User Name: <c_user_name>Client Domain: <c_domain>Client Logon ID: <c_logon_id>Accesses<accesses>Properties: <fld5>Additional Info: <info1>Additional Info2: <info2>Access Mask: <peer_id>" />
cheers,
ryan
