Problem with Symantec AV and secure ACSevents parsing
We have forwarded Symantec AV and cisco secure ACS logs from RSA envision to RSA security SA decoder through Z connector. Both devices logs are captured in RSA SA and also discover devices in RSA SA successfully.
But logs are not getting parsed properly. Below I am given raw log and meta value for both device type.
Like for Symantec AV , RSA SA is not parsing infected file and actual action filed, marked in RED.
Symantec AV Log
Apr 1 17:05:39 SymantecServer YYYYYYY: Virus found,IP Address: X.X.X.X,Computer name:YYYYYYYYY,Source: Real Time Scan,Risk name: Backdoor.Graybird,Occurrences: 1,C:\ArunSingh\Software\CorelDRAW Graphics Suite X6\Keygen-CORE\keygen.exe,"",Actual action: Details pending,Requested action: Deleted,Secondary action: Left alone,Event time: 2014-04-01 11:34:31,Inserted: 2014-04-01 11:35:39,End: 2014-04-01 11:34:31,Last update time: 2014-04-01 11:35:39,Domain: Default1,Group: My Company\ROOT\WORKSTATIONS\STPI\NKP,Server: XXXXXXX,User: YYYYYY,Sourcecomputer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version:
sessionid = 14351751319
time = 2014-04-01T17:18:19.0
size = 1070
medium = 32
device.type = "symantecav"
device.class = "Anti Virus"
header.id = "0016"
alias.host = "INMUMNKPSTL3701"
event.source = "Real Time Scan"
virusname = "Backdoor.Graybird"
action = "Deleted"
group = "My Company\ROOT\WORKSTATIONS\STPI\NKP"
alias.host = " "
user.dst = " "
dclass.c1.str = "Occurences"
ec.activity = "Detect"
ec.subject = "Virus"
ec.theme = "TEV"
endtime = 2014-04-01T17:04:31.0
event.desc = "Virus found"
event.time = 2014-04-01T17:04:31.0
msg.id = "Viru:10"
event.cat.name = "Attacks.Malicious Code.Virus"
kindly help me
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
In envision, infected filename is captured by info variable and actual action by disposition variable.
Both these variables are set to transient in table-map.xml. table-map.xml is mapping file to SA meta keys. When key is set to transient decoder will drop it. By default only few keys are enabled to minimize data explosion. It is suggested to enable keys as when there is need.
To enable keys, first flags of these meta keys need to be set to None from Transient. Then respective meta keys should be added to index-concentrator-custom.xml (if not in index-concentrator.xml). Then you will see these values in your investigation view.
Hope this helps
PS: These settings are global to device parsers. So you will start to see values for other device too. More indexes means more data on disk.
Thanks , getting meta value after add in index file.
But what about other variable like fld1,fld2, etc..?how i can enable in map- table bcz it are not in table.?
Is there any mapping doc for fld1,fld2.....?
fld* are junk. But they are used as placeholders when you don't want to store them. MSG is parsed and dropped on floor.
You can add fldXX to your table-map and index-concentrator custom files and you will see data.
As I said earlier these settings are global and hence you will see data from all devices. So be cautious before enabling something like fld.