4 Replies Latest reply on Nov 6, 2015 1:27 AM by Peter Näslund

    Tagging ePO on Windows Object Audit Alarm

    Peter Näslund

      I have setup an alarm that works fine.

      I now want to tag the IP-address of the computer causing the alarm, with ePO.

      The only available options are:

        - IP Address

        - Source IP Address

        - Destination IP Address

       

      The windows object audit event has populated the following fields:

          Signature-ID: 43-21100560

          Source IP: <IP-address of the fileserver>

          Destination IP: ::

          IP Address: <Does not Work. Do not know if it has a value at all>

          Source User: <IP-address of the computer causing the alarm>

       

      How do you tag the "Source User" field with ePO?

       

      \Peter

        • 1. Re: Tagging ePO on Windows Object Audit Alarm
          rorik.koster

          Hi Peter,

           

          It sounds to me like you'll need to modify the parsing rule (or add a new parsing rule for this event log) to map the currently matched field of "Source User" to its appropriate field of "Source IP", and while you're there map the currently matched field of "Source IP" to its appropriate field of "Destination IP".

           

          Best Regards,

          Rorik

          • 2. Re: Tagging ePO on Windows Object Audit Alarm
            Peter Näslund

            I’m familiar doing it with advanced syslog parser, but how do you do it with windows events?

            • 3. Re: Tagging ePO on Windows Object Audit Alarm
              rorik.koster

              Hi Peter,

               

              Excellent news that you have experience with ASP already.  I believe that all you would need to do is create a new "Custom Windows Event ASP Rule" and assign the rule to "Rule Assignment Type: Windows Event Log - WMI":

              New_ASP_Windows.PNG

               

              This, of course, assumes that your data sources are setup to use the model "Windows Event Log - WMI":

              Windows_Data_Source.PNG

               

              The ASP rule should be evaluated before the Windows Data Source rules. If you add the appropriate content match string in the parser (to match a particular security event log id from a Windows device) then only those messages that you need to parse differently would match the rule and then subsequently get parsed using your new rule while other event log messages would get parsed with the Windows Data Source rules.  I could not find a way to re-order ASP rules that are applied to 'Windows Event Log - WMI' but you may not have to re-order them at all if ASP takes precedence over Data Source rules.

               

              Hope that's helpful or gets you headed in the right direction.

               

              Best Regards,

              Rorik

              • 4. Re: Tagging ePO on Windows Object Audit Alarm
                Peter Näslund

                I have created an ASP-rule and the windows event packet detail maps perfectly, but no event is created.

                 

                When I browse down to the "Windows Eventlog - WMI" Data Source I don't se ASP in rule types: