AnsweredAssumed Answered

Incorrect Windows Security 4728 Parsing

Question asked by Daniel Stephens on Nov 15, 2016
Latest reply on Nov 16, 2016 by Christopher Ahearn

There appears to be a problem with the stock windows log parser, particularly with security message 4728. Netwitness query to find these logs is:
msg.id = 'security_4728_microsoft-windows-security-auditing' 

 

We use this log to monitor for users added to AD groups that have admin privileges. The problem we have been encountering is that the usernames are not parsed correctly. The current user adding the new user is parsed as user.dst, the new user is not parsed at all, and the CN, OU, and DC fields are crammed into user.src. Here is an example.

In the above log, the user making the change is in highlighted in yellow; the user being added is on blue. 

In the meta of this log, you can see the user making the change still appears (as the destination, rather than source user) and the user being added is nowhere to be found. 

 

Why this matters is for two reasons:

1. Every time we get an alert, we have to navigate to the raw log to figure out the user who was added.

2. We have the AD groups we are monitoring in a list on the reporting engine and they are updated once users are approved to have privileged access. But without meta being generated for the user being added, there is no way to tune out the false positives of approved users being added. 

 

My questions are:
Does RSA have plans to fix this parser?
What is the level of effort to write a custom windows parser and replace the RSA one? Is that overkill?

Outcomes