the only way i know is, to set up a PER by McAfee.
Alright, thanks for your reply.
Do you have these events in your SIEM instance and can verify if you see the same parsing?
I have the same view.
You can change this by Dataenrichment from Active Directory Name to logon Name. This link describe a other Enrichment but you can change it, i think.
I have a network where we have Windows logs being sent via an event collector over syslog. I wrote custom ASP rules for the various Event ID's. If you can get a copy of the raw XML to parse out. This regex should do the trick..
<EventID>(4728)<\WEventID>[\s\S]+<TimeCreated SystemTime='(\S+)'\W>[\s\S]+<Computer>(\S+)<\WComputer>[\w\S]+<EventData><Data Name='MemberName'>(\S+)\s(\S+).*<Data Name='TargetUserName'>(.*)<\WData><Data Name='TargetDomainName'>[\s\S]+<Data Name='SubjectUserName'>(\S+)<\WData>
I know it's ugly but it works
Couple of notes here....
1. If you get a raw windows event xml all single quotes need to be double quotes (syslog turns them single from everything I have been working with)
2. Make sure to set a content string for the Event ID (If you don't your receiver could come to a grinding halt, if you have to do more)
3. Order your ASP rules based upon the amount of events your getting (a lot..top of the list...bottom...not so much.)
That's an interesting workaround since the Windows parsing rules aren't natively available for editing. Do you mind sharing which syslog agent you're using? Thanks.
The reason for this work around is because the storage is being done on a syslog server. They did not go with an ELM. I believe it is generic syslog which is the default for a UNIX data source. They are using the Windows Event Collector to forward from the host. The SIEM is being pointed to the collector to receive the information. We have also have machines using WMI but for the majority of systems, it's via the collector.
thanks for your comments. I opened a service request to McAfee support and just got this reply:
"The current product is not support your requirement to be fulfilled. Please submit a PER (Product Enhancement Request) to get it added on upcoming versions. Alternatively, you can write a custom parser to fulfil your requirement. Unfortunately, custom parsers are out of scope of support and if you need any help on that area, please engage professional services.
Below is the procedure to submit a PER
Thank you for your understanding