Netwrix¶
About¶
Detect security threats, prove compliance and increase IT team efficiency with IT audit software from Netwrix
Product Details¶
Vendor URL: Netwrix Auditor
Product Type: OS
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Netwrix - Cyderes Documentation
Log Guide: Netwrix Auditor | Activity Record Elements
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: NETWRIX
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Message.ObjectType | additional.fields["ObjectType"] |
| Message.ObjectType | extensions.auth.auth_details |
| Message.Message | metadata.description |
| NETWRIX | metadata.log_type |
| Message.Action, MonitoringPlan | metadata.product_event_type |
| SourceName | metadata.product_name |
| Netwrix | metadata.vendor_name |
| Message.DataSource | observer.application |
| Hostname | observer.hostname |
| Message.Workstation | principal.hostname |
| Message.Workstation | principal.ip |
| Message.Who | principal.user.userid |
| ALLOW, FAIL | security_result.action |
| Message.Details, Message | security_result.summary |
| Message.Where | target.domain.name |
| Message.What | target.file.full_path |
| Message.What | target.resource.name |
| DATABASE | target.resource.resource_type |
| Message.What | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Default | GENERIC_EVENT |
| File, Folder | FILE_UNCATEGORIZED |
| Logon | USER_LOGIN |
| Logoff | USER_LOGOUT |
| User | USER_UNCATEGORIZED |
Log Sample¶
{"EventTime":"2023-12-17 11:35:19","Hostname":"Netwrix.domain.com","Keywords":00000,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":517,"SourceName":"Netwrix_Auditor_Alerts","Task":1,"RecordNumber":00000,"ProcessID":0,"ThreadID":0,"Channel":"Netwrix_Auditor_Alerts","Message":"DataSource : Active Directory\nAction : Modified\nMessage: Modified user\nWhere : dc_hostname.domain.com\nObjectType : user\nWho : johndoe\nWhat : \\group_name\nWhen : 12/17/2023 11:30:52 AM\nWorkstation : hostname01\nDetails : User Account Locked Out","Opcode":"Info","EventReceivedTime":"2023-12-17 11:35:21"}
Sample Parsing¶
metadata.event_timestamp.seconds = "2023-12-17T16:35:40.580976Z"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "NETWRIX"
metadata.product_name = "Netwrix Auditor Alerts"
metadata.vendor_name = "Netwrix"
observer.hostname = "Netwrix.domain.com"
principal.hostname: "hostname01"
principal.user.userid: "johndoe"
principal.user.group_identifiers: "\\group_name"
security_result.action = "ALLOW"
security_result.action_details = "Modified"
security_result.summary = "User Account Locked Out"
target.domain.name: "dc_hostname.domain.com"
Rules¶
Coming Soon