RSA Admin

Security_560_Security Events for FileAudting / GPOAuditing / Etc

Discussion created by RSA Admin Employee on Apr 16, 2008
Latest reply on Oct 31, 2008 by RSA Admin

Version 3.7.0 build 0169

 

I hope this helps . . . it took me a few to get to the bottom of this one.

 

My main objective was to audit Microsoft AD GPO addtions, modifications, and deletions.  For the life of me I could not find the actual file being audited in the parsed data anywhere.  I could see the raw event being captured with the data I needed via the MessageView . . . but running reports, query, and alerts would not show the file being audited in the Misc Name field (which is where it is supposed to be).

 

I found the following to be true . . . it took me a bit of digging to get this point. 

 

The XML for the winevent_nic was not parsing the data properly.  The data field misc_name was being used twice in the same content string . . . which means the latter use was overwriting the first.   Look at message Security_560_Security:02 for example . . . Object Name: <misc_name> is the first instance and then later in the content string Image File Name: <misc_name> . . . the latter value kept showing up in Alerts, Query, and Reports.

 

SOLUTION:  Rename the data field that was mapping to Image File Name.  I created two new messages to get the content I needed . . . mapping Image File Name to  a bogus_field.  The two messages I used to solve my issue, Security_560_Security:04 and Security_560_Security:05, can be seen below . . . 05 accounts for a random space in the incoming MS message. 

 

<MESSAGE 
        level="4"  
        parse="1"  
        parsedefvalue="1"  
        tableid="5"  
        id1="Security_560_Security:04"  
        id2="Security_560_Security"  
        eventcategory="1401010000"  
        summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"        
        content="&lt;@utcstamp:*UTC($MSG,'%B %D %N:%U:%O %W',datetime)&gt;&lt;@category:smileysurprised:bject_Access&gt; &lt;@event_user:*RMQ(event_user)&gt;&lt;event_log&gt;,&lt;linenum&gt;,&lt;day&gt; &lt;datetime&gt;,&lt;event_id&gt;,&lt;event_source&gt;,&lt;event_user&gt;,&lt;event_type&gt;,&lt;event_computer&gt;,&lt;category&gt;,&lt;data&gt;,&lt;event_description&gt;:&lt;space&gt;Object Server: &lt;obj_server&gt;Object Type: &lt;obj_type&gt;Object Name: &lt;misc_name&gt;Handle ID: &lt;handle_id&gt;Operation ID: &lt;operation_id&gt;Process ID: &lt;process&gt;Image File Name: &lt;bogus_field&gt;Primary User Name: &lt;username&gt;Primary Domain: &lt;domain&gt;Primary Logon ID: &lt;logon_id&gt;Client User Name: &lt;c_user_name&gt;Client Domain: &lt;c_domain&gt;Client Logon ID: &lt;c_logon_id&gt;Accesses &lt;accesses&gt;Privileges &lt;privileges&gt;Restricted Sid Count: &lt;fld4&gt;Access Mask: &lt;peer_id&gt;" />
<MESSAGE 
        level="4"  
        parse="1"  
        parsedefvalue="1"  
        tableid="5"  
        id1="Security_560_Security:05"  
        id2="Security_560_Security"  
        eventcategory="1401010000"  
        summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"        
        content="&lt;@utcstamp:*UTC($MSG,'%B %D %N:%U:%O %W',datetime)&gt;&lt;@category:smileysurprised:bject_Access&gt; &lt;@event_user:*RMQ(event_user)&gt;&lt;event_log&gt;,&lt;linenum&gt;,&lt;day&gt; &lt;datetime&gt;,&lt;event_id&gt;,&lt;event_source&gt;,&lt;event_user&gt;,&lt;event_type&gt;,&lt;event_computer&gt;,&lt;category&gt;,&lt;data&gt;,&lt;event_description&gt;: &lt;space&gt; Object Server: &lt;obj_server&gt; Object Type: &lt;obj_type&gt; Object Name: &lt;misc_name&gt; Handle ID: &lt;handle_id&gt; Operation ID: &lt;operation_id&gt; Process ID: &lt;process&gt; Image File Name: &lt;bogus_field&gt; Primary User Name: &lt;username&gt; Primary Domain: &lt;domain&gt; Primary Logon ID: &lt;logon_id&gt; Client User Name: &lt;c_user_name&gt; Client Domain: &lt;c_domain&gt; Client Logon ID: &lt;c_logon_id&gt; Accesses &lt;accesses&gt; Privileges &lt;privileges&gt; Restricted Sid Count: &lt;fld4&gt; " />
 

Outcomes