cancel
Showing results for 
Search instead for 
Did you mean: 
izik
Level 7
Report Inappropriate Content
Message 1 of 9

parser field issue

Hi

if i have a log that contains 2 process ID , when i create parser can i add both to the same field ? 

for example  this windows log :

.....New Process ID:  0x72ac   New Process Name: C:\Windows\System32\control.exe   Token Elevation Type: %%1938   Mandatory Label:  S-8-8-8-8   Creator Process ID: 0x3470   Creator Process Name: C:\Windows\System32\cmd.exe.....

i want to add both New Process ID and Creator Process ID to the same field 

is it possible ?

8 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: parser field issue

in ASP its possible in the "Field Assignment" Tab
(e.g. Syslog, CEF, MEF, API etc.)


but i'm sorry to say that on WMI  logs there's nothing to do.

McAfee ESM dosn't let Changes to the WMI Parsing Process.

 

Best regards.

izik
Level 7
Report Inappropriate Content
Message 3 of 9

Re: parser field issue

Hi

yes i know that , the logs are insert with syslog , so this is not  a problem

i wrote aprser , but if i add 2 keys to the same field it is write them together , i want to add them sepreatly so i try to click on the PLUS sign next to the field and seprate the keys but  after i checked it still only show the first one.

is it possible ? look at the process_name field

field.PNG

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: parser field issue

Hi 

try pressing again on the " + " Icon

insert them in the childrens "Process_name" field

izik
Level 7
Report Inappropriate Content
Message 5 of 9

Re: parser field issue

Hi

i try to do what you suggeset , but after i rolled out the policy it is back to parnet and child by itself

did you manage to configure somthinf like that ?

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: parser field issue

Hi,

no, i didn't have a this issue in the past.

but when looking on the Check point Field Assignment (made by McAfee Team)

i see a lot of Parent & children definitens.

mabey try coping the way they did it.. for example i see in "threat name" field 3 children.

so it means it's possible somehow..

 

Best regards.

 

izik
Level 7
Report Inappropriate Content
Message 7 of 9

Re: parser field issue

i take a look at the checkpoint field assigmnet , and you are right they are using parent & child , i take some checkpoint logs and insert in the sample cube to see if they are do what i want and it is seem not , they are not insert 2 different values to the same field , i guess they are using parent and child because there is changes in logs between checkpoint versions

Highlighted
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: parser field issue

Do you want the New Process ID and Creator Process ID to be in the same field?   

 

If so, just put the following in Process_Name

3:1+" "+4:1

You could also do something like the following:

"New: "+3:1+" Creator: "+4:1

 

izik
Level 7
Report Inappropriate Content
Message 9 of 9

Re: parser field issue


@mherr wrote:

Do you want the New Process ID and Creator Process ID to be in the same field?   

 

If so, just put the following in Process_Name

3:1+" "+4:1

You could also do something like the following:

"New: "+3:1+" Creator: "+4:1

 


Hi

I want them to be in the same field but separately, i mean that  for 1 log i will have 2 process_id field in the costum types,

the reason i want it is because in this way i can build a correlation rule that group by this field and than i can check if low privilage process create a high privilage (privilage escaltion)

 

If there is other way i will happy to hear, if it is not explained well, i can write amore detailed explanation 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community