thought we'd share another case experience relating to what we see is not a good example of managing SIEM parsers/comms with customers
A few days ago - winevent_nic device parser was update in Live. 16th Oct 2017 - around 1600 GMT
Parser Version: 209, Event Source Update: 111
4d4e5a2acb6012f7ad2529fbd48d363468bbb3c58629b0d861c7d66c71d8452f for the xml file
as of now the parser is still on live. (that's what 19 oct 2017 about 3am GMT)
This among other things stopped parsing cmdline for things like powershell and wscript.
it’s worrying to see
a) a delay from the Live team in getting it pulled or replaced with reverted with a higher version
b) no release note or git repo to track changes History for devices/winevent_nic/v20_winevent_nicmsg.xml - netwitness/nw-logparsers · GitHub
c) no notification to customers (let me guess there won't be one when it's pulled)
d) dubious testing
hoping to see people raise this with their A/Ms as well.
https://github.com/netwitness
there are two projects there
nw-logparsers where you can see the raw log parsers, diff between versions, and event make your own pull and changes and commit them back to be reviewed by the live team. Or you can contribute any custom parsers that you have developed and feel comfortable sharing to help others in the RSA NetWitness community.
The other project are some Yara rules that you could try in the Malware appliance I guess
Can't help you with the QA part, other than opening a case when you see issues like this... we hope to have only positive changes when parsers change but ...
You can probably get GitHub to notify you of changes to the project or to specific parsers but by GitFoo is a bit weak at the moment.