Hello,
I would like to have the Notable Behaviors in my InsightIDR, so i used the Active Directory with nxlog to have just the event 4771 and 4768 but that didn’t work.
So i have tried to do the same with the Universal Ingress Authentication, I succeeded but the log don’t go in Log Search and they are not new Notable Behaviours.
Do you have any idea ?
Thanks.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in_securitylog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Security'>*[System[EventID=4768 or EventID=4771]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
$Message = replace($Message, "\t", " ");
$Message = replace($Message, "\n", " ");
$Message = replace($Message, "\r", " ");
$raw_event = $Message;
if $IpAddress =~ /(::ffff:)(\d)/
{
$IpAddress = replace($IpAddress, "::ffff:", "");
}
$Version="v1";
$EventType="INGRESS_AUTHENTICATION";
$EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%S.000Z');
if $EventID==(4771)
{
$authentication_result="FAILURE";
}
if $EventID==(4768)
{
$authentication_result="SUCCESS";
}
$user=$TargetUserName;
rename_field("EventType", "event_type");
rename_field("Hostname", "authentication_target");
rename_field("EventTime", "time");
rename_field("TargetUserName", "account");
rename_field("TargetDomainName", "account_domain");
rename_field("IpAddress", "source_ip");
rename_field("Version", "version");
delete($Message);
delete($Keywords);
delete($ProviderGuid);
delete($Task);
delete($RecordNumber);
delete($TargetSid);
delete($ServiceSid);
delete($SeverityValue);
delete($Severity);
delete($SourceName);
delete($OpcodeValue);
delete($ProcessID);
delete($Channel);
delete($Category);
delete($Opcode);
delete($ServiceName);
delete($TicketOptions);
delete($TicketEncryptionType);
delete($PreAuthType);
delete($IpPort);
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
delete($ThreadID);
delete($Status);
delete($EventID);
</Exec>
</Input>
<Output out_securitylog>
Module om_tcp
#This is the IP address of the InsightIDR Collector
Host XXX.XXX.XXX.XXX
#This is the port configured on the Event Source
Port X
Exec to_json();
</Output>
<Route 1>
Path in_securitylog=> out_securitylog
</Route>