Please help me parse this message

I am trying to work on Windows Logon Event Failures and have a message I need to break up into fields but I’m stumped as how to do so. I am not sure if I need to build a pipeline or an extractor. I do know that I’ll eventually need to be able to use the fields I’m creating with a lookup table to convert the hex into a description, if that plays into how to do this.

I’m a complete newb and I really appreciate any help you could give.

evID_4771_msg

I know I answered you individually but posting here so others searching can find it.:

This is related to a previous post here.

Not all codes are in the tables on that post - specifically not 0xE so:

All the codes including 0xE are here.

Pipeline Code to use tables for kerberos TGT event 4771 (and 4820) NOTE: this builds fields for the potential/eventual e-mail notification.

rule "AP3-WinSec-BadPw-Kerberos"
when
    to_string($message.winlogbeat_event_id) == "4771" ||
    to_string($message.winlogbeat_event_id) == "4820"
then
    // Build Alert structures
    // Create subject of (e-mail) alert
    let requestingIP = replace(to_string($message.winlogbeat_event_data_IpAddress),"::ffff:");
    let requestingName = lookup_value("THE_DNS_table", to_string(requestingIP));
    set_field("THE_requestingName", requestingName);  //so we can make quick values
    let subject_0 = concat("-G| Kerb-FAIL: ", to_string($message.winlogbeat_event_data_TargetUserName));
    let subject_1 = concat(subject_0, " connecting from ");
    let subject_fin = concat(subject_1, to_string(requestingName));
    set_field("cmg_subject", subject_fin);
    //
    // create detail of (e-mail) alert
    let LogonTypeResult = "TGT";
    let LogonTypeErr    = lookup_value("WinLogonErr" ,to_string($message.winlogbeat_event_data_Status), 0);
    let build_mess_0    = concat("Failed Password Attemept - ",  to_string($message.winlogbeat_event_data_TargetUserName));
    let build_mess_1    = concat(build_mess_0, " attempting a log in from ");
    let build_mess_2    = concat(build_mess_1, requestingIP);
    let build_mess_3    = concat(build_mess_2, " ");
    let build_mess_4    = concat(build_mess_3, to_string(requestingName));
    let build_mess_5    = concat(build_mess_4, " Logon Type: ");
    let build_mess_6    = concat(build_mess_5, to_string(LogonTypeResult));
    let build_mess_7    = concat(build_mess_6, ". Attempt registered on: ");
    let build_mess_8    = concat(build_mess_7, to_string($message.winlogbeat_host_name));
    let build_mess_9    = concat(build_mess_8, ".  ERROR: ");
    let build_mess_fin  = concat(build_mess_9, to_string(LogonTypeErr));
    set_field("cmg_body", build_mess_fin);
    route_to_stream("S5-IncidentReporting");
end
2 Likes

This would just build an alert email based on the pipeline though, not create the fields in the individual message when it’s stored to a string? Or is that what your let build statements are doing?

I apologize, just very new to this.

The “let build_mess…” are for eventually creating the “cmg_body” field that contains all the results of those concatenations and can be used in the body of the my e-mail to explain what is going on.

The meat of what you were asking about is this:

let LogonTypeErr    = lookup_value("WinLogonErr" ,to_string($message.winlogbeat_event_data_Status), 0);

This uses the previously created WinLogonErr table to find whatever the contents of $message.winlogbeat_event_data_Status should equal. In your case it was 0xE you wanted to know what that really is and (assuming you have added all the the TGT errors into the WinLogonErr table you built) it would return KDC has no support for encryption type into the variable LogonTypeErr which you could then set into a field called “snazzy_field_name_here” in the following line:

set_field("snazzy_field_name_here", LogonTypeErr);

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.