cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
izik
Level 7
Report Inappropriate Content
Message 1 of 9
‎12-12-2018 04:39 AM

parser field issue

Hi

if i have a log that contains 2 process ID , when i create parser can i add both to the same field ? 

for example  this windows log :

.....New Process ID:  0x72ac   New Process Name: C:\Windows\System32\control.exe   Token Elevation Type: %%1938   Mandatory Label:  S-8-8-8-8   Creator Process ID: 0x3470   Creator Process Name: C:\Windows\System32\cmd.exe.....

i want to add both New Process ID and Creator Process ID to the same field 

is it possible ?

0 Kudos
Reply
8 Replies
Highlighted
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 9
‎12-12-2018 05:29 AM

Re: parser field issue

in ASP its possible in the "Field Assignment" Tab
(e.g. Syslog, CEF, MEF, API etc.)


but i'm sorry to say that on WMI  logs there's nothing to do.

McAfee ESM dosn't let Changes to the WMI Parsing Process.

 

Best regards.

0 Kudos
Reply
Highlighted
izik
Level 7
Report Inappropriate Content
Message 3 of 9
‎12-12-2018 06:04 AM

Re: parser field issue

Hi

yes i know that , the logs are insert with syslog , so this is not  a problem

i wrote aprser , but if i add 2 keys to the same field it is write them together , i want to add them sepreatly so i try to click on the PLUS sign next to the field and seprate the keys but  after i checked it still only show the first one.

is it possible ? look at the process_name field

field.PNG

0 Kudos
Reply
Highlighted
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 9
‎12-12-2018 06:17 AM

Re: parser field issue

Hi 

try pressing again on the " + " Icon

insert them in the childrens "Process_name" field

0 Kudos
Reply
Highlighted
izik
Level 7
Report Inappropriate Content
Message 5 of 9
‎12-12-2018 01:09 PM

Re: parser field issue

Hi

i try to do what you suggeset , but after i rolled out the policy it is back to parnet and child by itself

did you manage to configure somthinf like that ?

0 Kudos
Reply
Highlighted
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 9
‎12-13-2018 01:08 AM

Re: parser field issue

Hi,

no, i didn't have a this issue in the past.

but when looking on the Check point Field Assignment (made by McAfee Team)

i see a lot of Parent & children definitens.

mabey try coping the way they did it.. for example i see in "threat name" field 3 children.

so it means it's possible somehow..

 

Best regards.

 

0 Kudos
Reply
Highlighted
izik
Level 7
Report Inappropriate Content
Message 7 of 9
‎12-13-2018 02:24 AM

Re: parser field issue

i take a look at the checkpoint field assigmnet , and you are right they are using parent & child , i take some checkpoint logs and insert in the sample cube to see if they are do what i want and it is seem not , they are not insert 2 different values to the same field , i guess they are using parent and child because there is changes in logs between checkpoint versions

0 Kudos
Reply
Highlighted
mherr
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 9
‎12-16-2018 06:20 PM

Re: parser field issue

Do you want the New Process ID and Creator Process ID to be in the same field?   

 

If so, just put the following in Process_Name

3:1+" "+4:1

You could also do something like the following:

"New: "+3:1+" Creator: "+4:1

 

0 Kudos
Reply
Highlighted
izik
Level 7
Report Inappropriate Content
Message 9 of 9
‎12-17-2018 08:48 AM

Re: parser field issue

@mherr wrote:

Do you want the New Process ID and Creator Process ID to be in the same field?   

 

If so, just put the following in Process_Name

3:1+" "+4:1

You could also do something like the following:

"New: "+3:1+" Creator: "+4:1

 

Hi

I want them to be in the same field but separately, i mean that  for 1 log i will have 2 process_id field in the costum types,

the reason i want it is because in this way i can build a correlation rule that group by this field and than i can check if low privilage process create a high privilage (privilage escaltion)

 

If there is other way i will happy to hear, if it is not explained well, i can write amore detailed explanation 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC