Vladimir Previn

device parser content releases need more transparency

Discussion created by Vladimir Previn on Oct 18, 2017
Latest reply on Nov 1, 2017 by Vladimir Previn

thought we'd share another case experience relating to what we see is not a good example of managing SIEM parsers/comms with customers

 

A few days ago - winevent_nic device parser was update in Live. 16th Oct 2017 - around 1600 GMT

Parser Version: 209, Event Source Update: 111
4d4e5a2acb6012f7ad2529fbd48d363468bbb3c58629b0d861c7d66c71d8452f for the xml file

 

as of now the parser is still on live. (that's what 19 oct 2017 about 3am GMT) 

 

This among other things stopped parsing cmdline for things like powershell and wscript.

 

it’s worrying to see

a) a delay from the Live team in getting it pulled or replaced with reverted with a higher version  

b) no release note or git repo to track changes History for devices/winevent_nic/v20_winevent_nicmsg.xml - netwitness/nw-logparsers · GitHub 

c) no notification to customers (let me guess there won't be one when it's pulled)

d) dubious testing 

 

hoping to see people raise this with their A/Ms as well. 

Outcomes