cancel
Showing results for 
Search instead for 
Did you mean: 

Parsing Windows Events

Jump to solution

Hello ESM Operators!

I've been trying to create a correlation rule that detects the behavior in this article: » Detecting Kerberoasting Activity » Active Directory Security .

If you aren't an AD guy, don't worry - the long and short of it is I have a windows event that includes a bit of data that is not already a field in custom types or details tabs when viewing the event in ESM, but I need to use it in a correllation rule.  The data i need to evaluate is in  %6 and the description of the Windows event.

How can i parse windows events beyond what ESM does out of the box, so I can create a correlation rule based on some information in that event?

Thanks!

1 Solution

Accepted Solutions
Highlighted
paul.k
Level 10
Report Inappropriate Content
Message 2 of 6

Re: Parsing Windows Events

Jump to solution

This is an tough one. I have come across similar issues my self.

The only way to write custom parser for windows events is with a CEF agent and using it as a CEF data source.

Now if the description field contains the %6 value you wish to locate, you might be able to use contains or regex value to match against.

Disclaimer not all fields have that option.

PS hows 10.0 treating you?

5 Replies
Highlighted
paul.k
Level 10
Report Inappropriate Content
Message 2 of 6

Re: Parsing Windows Events

Jump to solution

This is an tough one. I have come across similar issues my self.

The only way to write custom parser for windows events is with a CEF agent and using it as a CEF data source.

Now if the description field contains the %6 value you wish to locate, you might be able to use contains or regex value to match against.

Disclaimer not all fields have that option.

PS hows 10.0 treating you?

Re: Parsing Windows Events

Jump to solution

That's too bad - i would have thought there'd be native parsing of windows events.  I'll have to spend some time with it then.

10 is nice overall!  No major issues.

paul.k
Level 10
Report Inappropriate Content
Message 4 of 6

Re: Parsing Windows Events

Jump to solution

Tallmega,

So Windows parsing is native, custom parsing is not.

Good luck.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: Parsing Windows Events

Jump to solution

So you can write custom parsers for WMI events? I thought you can only do it for ASP and builtin WMI is not good enough?

xded
Level 12
Report Inappropriate Content
Message 6 of 6

Re: Parsing Windows Events

Jump to solution

No you can't there is only custom parser for syslog

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community