cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Windows default parser

Hi,

I want to parse additional fields in different windows events

for example - I want to extract the "sub status". this is a default windows event 4625.

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

 

how can I do it in the system can someone please instruct me?

spending hours on figuring out right places to look.

and why there is not an option to just search the ASP rules database?

PLEASE help

14 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 15

Re: Windows default parser

i don't think you can change WMI parsers like asp. Need a PER and McAfee will assess, update their parsers and include that in the rule update.

Highlighted

Re: Windows default parser

So, if I'm looking at windows event id 4625,

and have this "custom type" section (highlighted in yellow) in one of my collected events

this is a custom type made OOB (out-of-box) and belongs to the default ASP,

or is this a clear indication for a custom ASP rule?

is there ANY option to parser additional wanted data from windows events?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 15

Re: Windows default parser

If you want to customise the parsing of Windows events you would need to send them in as syslog (at this time).  There is a product idea to add custom parsing but it has not been implemented yet - please continue to support it.

https://community.mcafee.com/t5/Enterprise-Customer-Product/Create-Custom-WMI-Parsing-Rules/idi-p/58...

You can use a tool like NXLog CE to forward the Windows events as syslog instead and then use the ASP to perform custom parsing.

With respect to the specific fields you are talking about - we parse the substatus, but it is then translated using the values in /etc/NitroGuard/ and it is rendered as "user name does not exist"

#Domain_Controller_Logon_Error_Codes=1
GLOBAL_LOOKUP_TABLE=1,10,{0xC0000064="user name does not exist",0xC000006A="user name is correct but the password is wrong",0xC0000234="user is currently locked out",0xC0000072="account is currently disabled",0xC000006F="user tried to logon outside his day of week or time of day restrictions",0xC0000070="workstation restriction",0xC0000193="account expiration",0xC0000071="expired password",0xC0000224="user is required to change password at next logon",0xC0000225="evidently a bug in Windows and not a risk",}


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted

Re: Windows default parser

According to my actual system logs,

event id 4625 with error code 0xC000006A for exaple

is actually parsed to this text - "The attempted logon is invalid. This is either due to a bad username or authentication information."

I don't like it, since it is just not the accurate failure reason. according to windows documentation (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625) , and the translation index you mentioned,

this specific error code implies "user name is correct but the password is wrong" and that should be the text Im seeing. I wonder where problem relies here.....

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 15

Re: Windows default parser

I don't know of any updated custom parser documentation - what are you looking to understand?  The document you've linked to doesn't appear to have any significant inaccuracies that I can see.

As for the error code being parsed differently - please raise a service request.  In my testing, all my events exactly match the text from my /etc/NitroGuard/wmi.mapping.info.txt so it doesn't make sense that your SIEM would invent a new value that doesn't exist anywhere.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Highlighted

Re: Windows default parser

@lratcliffeI actually had to work with your internal mapping since I'm having issues working with what I really want (still learning parsing rules).

I'm used to work with the specific sub status info [that was more of an accurate indication for me].

I would expecting to see that sub-status 0xC000006a will be translated/mapped to

"user name is correct but the password is wrong" (like the link suggests)

but instead your mapping is more generally speaking -

"The attempted logon is invalid. This is either due to a bad username or authentication information."

Highlighted

Re: Windows default parser

Hi

Does McAfee has update version of the PDF referred here?

https://kc.mcafee.com/corporate/index?page=content&id=KB91898&actp=null&viewlocale=en_US&showDraft=f...

 

if I cant forward Windows events in SYSLOG,  what is my most correct to  extract data to existing / new fields? McAfee version 11.3

Highlighted

Re: Windows default parser

OK so I created new ASP rule

assigned it to "Windows Event Log - WMI" type as my Data Source Settings. V

content string - provided V

regular expression and mapping - Done [I extracted only 1 field just for the check, mapped it to "Source User" - since current default mapping is not working well enough leaving me with null values]

and...rolled it out to the wanted data source. V

now,

when new events arrive, "Source User" is empty, meaning ASP rule I created is  not extracting wanted content to that field.

what am I doing wrong?

Is windows default parser is taking over? ASP rule is not extracting additional data?

I though of copying windows default parsing rule and modify it, but it turns out you cant do it......

would love for help.

@lratcliffe 

 

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 15

Re: Windows default parser

You will have to disable the default windows parser rule and make sure the new asp rule is enabled.

Then go to Rule Ordering in policy editor and move the newly created asp custom rule to the top.

Then roll out the policy.

Then check the new events.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community