Notable Behaviors

chloe_boissavy · August 6, 2020, 2:47pm

Hello,
I would like to have the Notable Behaviors in my InsightIDR, so i used the Active Directory with nxlog to have just the event 4771 and 4768 but that didn’t work.
So i have tried to do the same with the Universal Ingress Authentication, I succeeded but the log don’t go in Log Search and they are not new Notable Behaviours.
Do you have any idea ?
Thanks.

    #define ROOT C:\Program Files\nxlog
    define ROOT C:\Program Files (x86)\nxlog

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log

    <Extension _syslog>
    	Module  xm_syslog
    </Extension>

    <Extension json>
        Module  xm_json
    </Extension>

    <Input in_securitylog>
        Module    im_msvistalog
        <QueryXML>
            <QueryList>
                <Query Id='0'>
                <Select Path='Security'>*[System[EventID=4768 or EventID=4771]]</Select>
                </Query>
            </QueryList>
        </QueryXML>
        <Exec>	 
    		$Message = replace($Message, "\t", " "); 
    		$Message = replace($Message, "\n", " "); 
    		$Message = replace($Message, "\r", " ");
    		
    		$raw_event = $Message;
    		if $IpAddress =~ /(::ffff:)(\d)/
    		{
    			$IpAddress = replace($IpAddress, "::ffff:", "");
    		}
    		$Version="v1";
    		$EventType="INGRESS_AUTHENTICATION";
    		$EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%S.000Z');
    		
    		if $EventID==(4771)
    		{
    			$authentication_result="FAILURE";
    		}
    		if $EventID==(4768)
    		{
    			$authentication_result="SUCCESS";
    		}
    		$user=$TargetUserName;
    		rename_field("EventType", "event_type");
    		rename_field("Hostname", "authentication_target");
    		rename_field("EventTime", "time");
    		rename_field("TargetUserName", "account");
    		rename_field("TargetDomainName", "account_domain");
    		rename_field("IpAddress", "source_ip");
    		rename_field("Version", "version");
    		
    		delete($Message);
    		delete($Keywords);
    		delete($ProviderGuid);
    		delete($Task);
    		delete($RecordNumber);
    		delete($TargetSid);
    		delete($ServiceSid);
    		delete($SeverityValue);
    		delete($Severity);
    		delete($SourceName);
    		delete($OpcodeValue);
    		delete($ProcessID);
    		delete($Channel);
    		delete($Category);
    		delete($Opcode);
    		delete($ServiceName);
    		delete($TicketOptions);
    		delete($TicketEncryptionType);
    		delete($PreAuthType);
    		delete($IpPort);
    		delete($EventReceivedTime);
    		delete($SourceModuleName);
    		delete($SourceModuleType);
    		delete($ThreadID);
    		delete($Status);
    		delete($EventID);
    	</Exec>
    </Input>

    <Output out_securitylog>
    	Module      om_tcp
    	#This is the IP address of the InsightIDR Collector
    	Host			XXX.XXX.XXX.XXX
    	#This is the port configured on the Event Source
    	Port			X
    	Exec		to_json();
    </Output>

    <Route 1>
    	Path        in_securitylog=> out_securitylog
    </Route>

david_smith1 · August 13, 2020, 3:12pm

What event source type do you currently have configured for this? I recommend Custom Logs -> Rapid7 Custom Logs, which is our event source type for sending any non attributable data. If it is in JSON format it will appear parsed in Log Search

chloe_boissavy · August 13, 2020, 3:30pm

Yes I used Custom Logs -> Rapid7 Custom Logs, the logs appeared in Log Search, but I would like to see the authentication in Notable Behaviors or in Assets or in Users, but the Custom Logs are not used for that.

david_smith1 · August 13, 2020, 3:52pm

Ah I see, https://docs.rapid7.com/insightidr/active-directory/#Events-Monitored

this is the list of eventid’s we consider from the Active Directory event source, this is the complete list of eventids which are used for User Behaviour Analytics. You will notice that whilst 4768 is listed 4771 is not.

So you could potentially get this to work by setting up an Active Directory event source and sending these windows event logs to it. So that would be Active Directory -> Listen for syslog. And point your nxlog at that source. If you also tick send unfiltered events it will send any eventids which do not match our parser to an Unparsed Data logset in log search