7 Replies Latest reply on May 13, 2015 6:52 AM by jp87

    Windows Event ID 4728

    jp87

      Hi,

      I'm facing a issue when we are parsing the Event ID 4728.

      The Event 4728 event:

      A member was added to a security-enabled global group.

      Subject:

         Security ID:  ACME\Administrator
         Account Name:  Administrator
         Account Domain:  ACME
         Logon ID:  0x27a79

      Member:

         Security ID:  ACME\gkhan
         Account Name:  cn=Ghenghis Khan,CN=Users,DC=acme,DC=local

      Group:

         Security ID:  S-1-5-21-3108364787-189202583-342365621-1108
         Group Name:  Historical Figures
         Group Domain:  ACME

      Additional Information:

         Privileges:  -

       

       

      The problem that I have is that Destination Username is getting parsed with the CN= Value, so in this case:

      Destination User: Ghenghis Khan

       

      I would like to have:

      Destination User: gkhan(Without the Domain)

       

      All tips to get this fixed would be appreciated!

       

      https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?even tID=4728

        • 1. Re: Windows Event ID 4728
          xded

          Hi jp87,

           

          the only way i know is, to set up a PER by McAfee.

          • 2. Re: Windows Event ID 4728
            jp87

            Alright, thanks for your reply.

             

            Do you have these events in your SIEM instance and can verify if you see the same parsing?

            • 3. Re: Windows Event ID 4728
              xded

              I have the same view.

               

              Unbenannt.png

              You can change this by Dataenrichment from Active Directory Name to logon Name. This link describe a other Enrichment but you can change it, i think.

              SIEM Foundations: Implement Enrichment to Pull in Full User Name From AD

              • 4. Re: Windows Event ID 4728
                ioconflict

                I have a network where we have Windows logs being sent via an event collector over syslog. I wrote custom ASP rules for the various Event ID's. If you can get a copy of the raw XML to parse out. This regex should do the trick..

                 

                <EventID>(4728)<\WEventID>[\s\S]+<TimeCreated SystemTime='(\S+)'\W>[\s\S]+<Computer>(\S+)<\WComputer>[\w\S]+<EventData><Data Name='MemberName'>(\S+)\s(\S+).*<Data Name='TargetUserName'>(.*)<\WData><Data Name='TargetDomainName'>[\s\S]+<Data Name='SubjectUserName'>(\S+)<\WData>

                 

                I know it's ugly but it works

                 

                Couple of notes here....

                 

                1. If you get a raw windows event xml all single quotes need to be double quotes (syslog turns them single from everything I have been working with)

                 

                2. Make sure to set a content string for the Event ID (If you don't your receiver could come to a grinding halt, if you have to do more)

                 

                3. Order your ASP rules based upon the amount of events your getting (a lot..top of the list...bottom...not so much.)

                • 5. Re: Windows Event ID 4728
                  andy777

                  That's an interesting workaround since the Windows parsing rules aren't natively available for editing. Do you mind sharing which syslog agent you're using? Thanks.

                   

                  Andy

                  • 6. Re: Windows Event ID 4728
                    ioconflict

                    The reason for this work around is because the storage is being done on a syslog server. They did not go with an ELM. I believe it is generic syslog which is the default for a UNIX data source. They are using the Windows Event Collector to forward from the host. The SIEM is being pointed to the collector to receive the information. We have also have machines using WMI but for the majority of systems, it's via the collector.

                    • 7. Re: Windows Event ID 4728
                      jp87

                      Hi all,

                       

                      thanks for your comments. I opened a service request to McAfee support and just got this reply:

                      "The current product is not support your requirement to be fulfilled. Please submit a PER (Product Enhancement Request) to get it added on upcoming versions. Alternatively, you can write a custom parser to fulfil your requirement. Unfortunately, custom parsers are out of scope of support and if you need any help on that area, please engage professional services.

                       

                      Below is the procedure to submit a PER

                       

                      https://kc.mcafee.com/corporate/index?page=content&id=KB60021&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US

                       

                      Thank you for your understanding

                       

                      Kind Regards

                       

                      McAfee"