RSA Log Decoder rule error
I recently noted that we are obtaining an error in the log decoder configurations.
Two of the rules that are configured ara highlighted. The rules are
nw30060 and account:logon-success-direct-access.
They have the following syntax:
nw30060: reference.id='528','540','4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')
account:logon-success-direct-access ((ec.activity='Logon' && ec.outcome='Success') || (event.cat.name='User.Activity.Successful Logins')) && logon.type='2','10'
I tried to test them in the reports view but i also noticed that the meta have disappeared and is now retrieving the following information:
Schema fetched from data source is null for data source xxxxx. I tried do use all the date sources that we have and it stays the same
This could be related to a index-concentrator change for logon.type from text to uint16 in the latest 11.2 update.
This was fixed in my case by subscribing to the envision content file in RSA live which pushed out a corrected index-concentrator.xml which set it back to text.
Following along with what Eric mentions, you can try the following without the ' ' around the logon id value. Run it manually in investigator to see if it returns values and runs correctly.
reference.id='528','540','4624' && logon.type=3 && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')
Thanks for the reply.
I did what you said and i believe that's ok....in the part of the app rules in log decoder.
In the metadata for reports it stayed the same: Schema fetched from data source is null for data source xxxxx. I believe that the update didn't help in this one
The account:logon-success-direct-access app rule is actually for the Informer from Netwitness 9.8 and below. Technically you should not be using this app rule any more. If you look it up within Live you can see it is a NWFL App Rule and was designed for the old Informer platform when you check its details. I believe the actual replacement for this app rule is Windows NTLM Network Logon Successful. If you search for this in Live there are two of these. One is an App Rule the other a Network Rule. You'll want the app rulle, you can tell which is which from the details page.
nw30060 is an internal app rule created by Netwitness for creating items within the old Risk metadata. All these app rules are actually being deprecated as the Risk meta is being phased out. There are brand new app rules to take the place of these older ones and they are a part of the newer Hunting Pack.
I highly suggest removing these two rules and installing their current alternatives. You will probably see more items like this as the phasing out of the Risk meta continues. However there are, in general, replacement content to provide similar meta. There are some exceptions as some meta has been completely phased out due to lack of use or they caused unnecessary performance hits.
Whenever you are adjusting any content on the your decoders it is important to make small changes and watch for any performance degradation. Give yourself a few days to a week to allow your decoder to run through its complete cycle so you can get a true picture of how the adjustments will affect capture.
I hope this has helped.
In live i found UEBA Bundle and im thinking in deploy it. Does that help with what you said or its better to remove the ones you refer and download de other ones?
I case i try to deploy the Bundle which service should i use? Netwitness UI, Log Decoder, Server?
It is best to remove the two app rules that are causing the error to appear as adding additional app rules will not remove these two. I believe the UEBA bundle is for those customers that are using the new UEBA component in Netwitness 11.2 only. I've been told that the Hunting Pack is what takes the place of the two app rules that you are having issues with.
On a slightly different note, it is important that when you deploy content from Live that you subscribe to it and place it into a deployment group. This will make sure that if there are any updates to the content that you have deployed these updates will be pushed to the devices updating the content on those devices.Here is a document for 11.1 Live: Deployments Tab, there are similar documents for other versions.
I will do that.
Im seeing Content Bundles or Packs | RSA Link and in the Ueba pack it has:
NetWitness 11.1 and higher
Is it correct? I didn't make the deployment because it ask me where to, and gives me 3 options:Netwitness UI, Log Decoder, Server and i don't know if i should deploy in one( which one?) or all of them.
I looked over the UEBA bundle per the page you provided. It does appear that the UEBA Essentials is not the UEBA part of the product that is in 11.2. Instead it is a collection of Live resources that does what it can out side of a full UEBA service.
As to where to deploy the bundle, if you look at the page that you provided from RSA Link the bundle contains app rules, context hub lists, ESA rules, LUA parsers, and Reports. This means that to deploy the full bundle you would deploy to your packet decoder, log decoders, ESA, Reporting Engine, and Netwitness UI. Below is the mapping you can use to determine what goes where.
App Rules: Log/Packet Decoders
Context Hub Lists: Netwitness UI
ESA Rules: Event Stream Analysis service
LUA Parsers: Log/Packet Decoders
Reports: Reporting Engine
I hope this helps.