1 Reply Latest reply on Aug 28, 2017 8:57 AM by ksudki

    "Host" field

    ksudki

      Dear community,

       

      What should be the value of the "host" field used for ?

       

      The reason why I am asking such "basic" question is that:

      1. No document described the mapping the fields, does McAfee have any document explaining it ?

       

      2. For the same event ID 4624 (Windows) ntlm/kerberos/microsoft authentication package the field mapping is changed

      Case 1 - kerberos

      FieldValue
      Host<fqdn(hostname.domain)>
      Source_IP<Datasource IP> or 127.0.0.1
      Destination_IP<Datasource IP>
      Source_User<Hostname$>
      Destination_User<empty>
      Logon_Type3 - Network
      Objectkerberos

       

      Case 2 - Authentication package

      FieldValue
      Host<hostname>
      Source_IP<Client IP>
      Destination_IP<Datasource IP>
      Source_User<username>
      Destination_User<empty>
      Logon_Type3 - Network
      Objectmicrosoft_authentication_package_v1_0

       

      Case 3 - NTLM

      FieldValue
      Host<Client hostname>
      Source_IP<Client IP>
      Destination_IP<Datasource IP>
      Source_User<Client hostname$>
      Destination_User<empty>
      Logon_Type3 - Network
      Objectntlm

       

      * The same applies when using Windows Event Forwarding.

      ** Even between built-in and ASP parser there are some differences with the mapping to the custom fields.

       

      Thank you for your help

        • 1. Re: "Host" field
          ksudki

          Got an answer from McAfee...

           

          They do not know either what it is supposed to be (lol) and admit that the fields is set to different values depending on the log type. (e.g the host field should be set to the datasource name unless it is a connection event were it is populated with the hostname of the client which connected.)

           

          I will eventually log a PER to transform this field into 3 different fields:

          - datasource_host

          - source_host

          - destination_host

           

          But again I doubt it will be pushed to the product...