Nikolay Klender

Sources and Destinations metas logic

Discussion created by Nikolay Klender on Jul 15, 2019

Hi If we look at winevent_nic parser and take 4732 event as example (User was added to group) than user who perfromed action is placed in user.dst meta and user which was added to group (new member) is placed to user.src

For me it is much clearly oposite approach: user who performed action should be source user account and new member is destination user account? 

Same thing with 4625 windows event: failed login attempt user for which login was failed is placed in user.dst why?

I am asking because in most parsers we fixed appoach: who is placed in source meta. But new netwitness 11 has UEBA version and I think is created with default approach so if I plan to user UEBA seems like I need to discard my changes.

Outcomes