McAfee Support Community - Re: parser field issue

izik · ‎12-12-2018

Hi

if i have a log that contains 2 process ID , when i create parser can i add both to the same field ?

for example this windows log :

.....New Process ID: 0x72ac New Process Name: C:\Windows\System32\control.exe Token Elevation Type: %%1938 Mandatory Label: S-8-8-8-8 Creator Process ID: 0x3470 Creator Process Name: C:\Windows\System32\cmd.exe.....

i want to add both New Process ID and Creator Process ID to the same field

is it possible ?

David1111 · ‎12-12-2018

in ASP its possible in the "Field Assignment" Tab
(e.g. Syslog, CEF, MEF, API etc.)

but i'm sorry to say that on WMI logs there's nothing to do.

McAfee ESM dosn't let Changes to the WMI Parsing Process.

Best regards.

izik · ‎12-12-2018

Hi

yes i know that , the logs are insert with syslog , so this is not a problem

i wrote aprser , but if i add 2 keys to the same field it is write them together , i want to add them sepreatly so i try to click on the PLUS sign next to the field and seprate the keys but after i checked it still only show the first one.

is it possible ? look at the process_name field

David1111 · ‎12-12-2018

Hi

try pressing again on the " + " Icon

insert them in the childrens "Process_name" field

izik · ‎12-12-2018

Hi

i try to do what you suggeset , but after i rolled out the policy it is back to parnet and child by itself

did you manage to configure somthinf like that ?

David1111 · ‎12-13-2018

Hi,

no, i didn't have a this issue in the past.

but when looking on the Check point Field Assignment (made by McAfee Team)

i see a lot of Parent & children definitens.

mabey try coping the way they did it.. for example i see in "threat name" field 3 children.

so it means it's possible somehow..

Best regards.

izik · ‎12-13-2018

i take a look at the checkpoint field assigmnet , and you are right they are using parent & child , i take some checkpoint logs and insert in the sample cube to see if they are do what i want and it is seem not , they are not insert 2 different values to the same field , i guess they are using parent and child because there is changes in logs between checkpoint versions

mherr · ‎12-16-2018

Do you want the New Process ID and Creator Process ID to be in the same field?

If so, just put the following in Process_Name

3:1+" "+4:1

You could also do something like the following:

"New: "+3:1+" Creator: "+4:1

izik · ‎12-17-2018

@mherr wrote:
Do you want the New Process ID and Creator Process ID to be in the same field?

If so, just put the following in Process_Name
3:1+" "+4:1
You could also do something like the following:
"New: "+3:1+" Creator: "+4:1

Hi

I want them to be in the same field but separately, i mean that for 1 log i will have 2 process_id field in the costum types,

the reason i want it is because in this way i can build a correlation rule that group by this field and than i can check if low privilage process create a high privilage (privilage escaltion)

If there is other way i will happy to hear, if it is not explained well, i can write amore detailed explanation