This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RenatoGoncalves
Beginner
Beginner
‎2018-09-20 05:49 AM

RSA Log Decoder rule error

Hello everyone,

 

I recently noted that we are obtaining an error in the log decoder configurations.

 

Two of the rules that are configured ara highlighted. The rules are

 

nw30060 and account:logon-success-direct-access.

 

They have the following syntax:

 

nw30060: reference.id='528','540','4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')

 

account:logon-success-direct-access ((ec.activity='Logon' && ec.outcome='Success') || (event.cat.name='User.Activity.Successful Logins')) && logon.type='2','10'

 

I tried to test them in the reports view but i also noticed that the meta have disappeared and is now retrieving the following information:

 

Schema fetched from data source is null for data source xxxxx. I tried do use all the date sources that we have and it stays the same

 

 

Regards 

0 Likes
Reply
12 Replies
EricPartington
Employee
Employee
‎2018-09-20 09:06 AM

This could be related to a index-concentrator change for logon.type from text to uint16 in the latest 11.2 update.

 

This was fixed in my case by subscribing to the envision content file in RSA live which pushed out a corrected index-concentrator.xml which set it back to text.

0 Likes
Reply
DaveGlover
New Contributor New Contributor
New Contributor
‎2018-09-20 10:38 AM

Following along with what Eric mentions, you can try the following  without the ' ' around the logon id value.  Run it manually in investigator to see if it returns values and runs correctly.

 

reference.id='528','540','4624' && logon.type=3 && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')

0 Likes
Reply
RenatoGoncalves
Beginner
Beginner
‎2018-09-20 10:38 AM

Hi Eric,

 

Thanks for the reply.

 

I did what you said and i believe that's ok....in the part of the app rules in log decoder.

 

In the metadata for reports it stayed the same: Schema fetched from data source is null for data source xxxxx. I believe that the update didn't help in this one

0 Likes
Reply
JohnKisner
Employee
Employee
‎2018-09-25 11:26 AM

Renato,

 

The account:logon-success-direct-access app rule is actually for the Informer from Netwitness 9.8 and below. Technically you should not be using this app rule any more. If you look it up within Live you can see it is a NWFL App Rule and was designed for the old Informer platform when you check its details. I believe the actual replacement for this app rule is Windows NTLM Network Logon Successful. If you search for this in Live there are two of these. One is an App Rule the other a Network Rule. You'll want the app rulle, you can tell which is which from the details page.

 

nw30060 is an internal app rule created by Netwitness for creating items within the old Risk metadata. All these app rules are actually being deprecated as the Risk meta is being phased out. There are brand new app rules to take the place of these older ones and they are a part of the newer Hunting Pack. 

 

I highly suggest removing these two rules and installing their current alternatives. You will probably see more items like this as the phasing out of the Risk meta continues. However there are, in general, replacement content to provide similar meta. There are some exceptions as some meta has been completely phased out due to lack  of use or they caused unnecessary performance hits. 

 

Whenever you are adjusting any content on the your decoders it is important to make small changes and watch for any performance degradation. Give yourself a few days to a week to allow your decoder to run through its complete cycle so you can get a true picture of how the adjustments will affect capture.

 

I hope this has helped.

0 Likes
Reply
RenatoGoncalves
Beginner
Beginner
‎2018-09-26 06:11 AM

I will do that John,

 

Thanks for the help

0 Likes
Reply
RenatoGoncalves
Beginner
Beginner
‎2018-09-26 06:18 AM

John,

 

In live i found UEBA Bundle and im thinking in deploy it. Does that help with what you said or its better to remove the ones you refer and download de other ones?

 

I case i try to deploy the Bundle which service should i use? Netwitness UI, Log Decoder, Server?

0 Likes
Reply
JohnKisner
Employee
Employee
In response to RenatoGoncalves
‎2018-09-26 10:37 AM

Renato,

 

It is best to remove the two app rules that are causing the error to appear as adding additional app rules will not remove these two. I believe the UEBA bundle is for those customers that are using the new UEBA component in Netwitness 11.2 only. I've been told that the Hunting Pack is what takes the place of the two app rules that you are having issues with. 

 

On a slightly different note, it is important that when you deploy content from Live that you subscribe to it and place it into a deployment group. This will make sure that if there are any updates to the content that you have deployed these updates will be pushed to the devices updating the content on those devices.Here is a document for 11.1 Live: Deployments Tab, there are similar documents for other versions.

0 Likes
Reply
RenatoGoncalves
Beginner
Beginner
‎2018-09-26 10:47 AM

Hello John,

I will do that.

 

Im seeing Content Bundles or Packs | RSA Link  and in the Ueba pack it has:

 

VERSIONS SUPPORTED
NetWitness 11.1 and higher

 

Is it correct? I didn't make the deployment because it ask me where to, and gives me 3 options:Netwitness UI, Log Decoder, Server and i don't know if i should deploy in one( which one?) or all of them.

0 Likes
Reply
JohnKisner
Employee
Employee
In response to RenatoGoncalves
‎2018-09-26 11:21 AM

Rernato,

 

I looked over the UEBA bundle per the page you provided. It does appear that the UEBA Essentials is not the UEBA part of the product that is in 11.2. Instead it is a collection of Live resources that does what it can out side of a full UEBA service. 

 

As to where to deploy the bundle, if you look at the page that you provided from RSA Link the bundle contains app rules, context hub lists, ESA rules, LUA parsers, and Reports. This means that to deploy the full bundle you would deploy to your packet decoder, log decoders, ESA, Reporting Engine, and Netwitness UI. Below is the mapping you can use to determine what goes where.

 

App Rules: Log/Packet Decoders

Context Hub Lists: Netwitness UI

ESA Rules: Event Stream Analysis service

LUA Parsers: Log/Packet Decoders

Reports: Reporting Engine

 

I hope this helps.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.