IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Modifying Windows DSM

    Posted Wed October 12, 2022 12:06 PM
    Edited by BrunoMarX Wed October 12, 2022 05:46 PM
    Hi Community,

    I have developed some DSM so far.. Usually I create a regex for "Event ID" and "Event Category" and use this combination for Event Mappings.

    we have some Windows Logs that are not sent through Wincollect. Therefore, we have some trouble parsiing and mapping them. I thought about extracting the Event ID and event category the same way the standard Windows DSM does.

    For the following Event:

    <13>Oct 12 16:57:50 Contoso AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.3.0.24 Source=Microsoft-Windows-Security-Auditing Computer=Contoso.Microsoft.org OriginatingComputer=192.168.0.1 User= Domain= EventID=4769 EventIDCode=4769 EventType=8 EventCategory=14337 RecordNumber=4152681500 TimeGenerated=1665586670 TimeWritten=1665586670 Level=Log Always Keywords=Audit Success Task=SE_ADT_ACCOUNTLOGON_KERBEROS Opcode=Info Message=A Kerberos service ticket was requested. Account Information: Account Name: maxmueller@Microsoft.org Account Domain: Microsoft.org Logon GUID: {B21278DA-5493-A9D8-BF46-215AF443831E} Service Information: Service Name: Contoso$ Service ID: Microsoft\Contoso$ Network Information: Client Address: ::ffff:10.206.8.149 Client Port: 51347 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.


    we see:

    Event ID: 4769
    Event Category: Success Audit:
    Event:
    Success Audit: A Kerberos service ticket was granted


    Using DSM Editor, I cannot see what is the expression extracting "Succes Audit"
    I exported the DSM and taking a look at the XML, I cannot find any expression, which results in "Success Audit"...
    A possible solution would be the property --> Keywords=Audit Success within the payload, but I couldn't find any expression in the xml.

    First Question: How to find out what is being used to extract the event category?

    ------------

    my event llooks like this


    bla bla blabla bla blabla bla blabla bla blabla bla bla Event ID: 4769 bla bla blabla bla blabla bla blabla bla bla Event Category: Success Audit bla bla blabla bla blabla bla blabla bla bla


    then I extract



    Event ID: 4769
    Event Category: Success Audit:

    and use the current event mapping below

    Event:
    Success Audit: A Kerberos service ticket was granted


    Will it work?

    [UPDATE]. Yes. It works!

    Thank you!

    Regards,
    Bruno



    ------------------------------
    BrunoMarX
    ------------------------------