If you could make a pull request we can take a look at it together. Be careful when posting test data, though. Make sure your security team looks at it first. Ideally we'd need a few sources of AD logs to make sure that the parser is generic enough.
05.10.2016, 07:29, "[email protected]" <[email protected]>: > How are you currently getting the logs to the parser? Are you adding any > additional fields? > > We use NXLog to send windows logs as syslog and we do some minor transforms > in order to clean it up, such as substituting tabs with spaces and adding > the event ID at the end (which isn't there by default). I should be able > to provide some cleaned samples from my environment. > > Jon > > On Wed, Oct 5, 2016 at 10:17 AM Tseytlin, Keren < > [email protected]> wrote: > >> Cool. I can work on it in my spare time. Additional log files would be >> incredibly useful, or else this parser will be very specific to our use >> case – which is unlikely to be particularly useful to the larger population. >> >> Keren >> >> On 10/5/16, 9:53 AM, "Nick Allen" <[email protected]> wrote: >> >> That would be great, Keren. Let us know what you need to make that >> happen. >> >> I think it would also be useful, if we could get anonymized test data >> from >> multiple organizations using Active Directory. That will help us >> ensure >> that the AD parser is broadly useful and not specific to one >> organization's >> AD installation. If anyone else has AD logs that they could anonymize >> and >> contribute, please chime in! >> >> On Wed, Oct 5, 2016 at 9:39 AM, Tseytlin, Keren < >> [email protected]> wrote: >> >> > Hi All, >> > >> > We have an active directory parser that is currently in production. >> We >> > would be happy to contribute it and work with whoever to make it >> generic ☺ >> > >> > Best, >> > Keren >> > >> > On 10/3/16, 5:58 PM, "[email protected]" <[email protected]> wrote: >> > >> > +1 in need of. No current effort because it is not our primary >> kerb >> > realm, >> > but we could use it. >> > >> > On Mon, Oct 3, 2016, 17:18 James Sirota <[email protected]> >> wrote: >> > >> > > I've seen traffic come through about multiple efforts for >> writing >> > the AD >> > > parser for Metron. I'd like to consolidate these efforts so >> that we >> > can >> > > come up with a generic parser that is suitable for everyone's >> needs >> > and >> > > that we don't duplicate effort. Please post to this thread if >> you >> > are >> > > working or are in need of the AD parser. We can then throw a >> > working group >> > > together and get the parser written and tested with everyone's >> > telemetry. >> > > Also, please indicate if you are able to provide sample >> (anonymized) >> > logs. >> > > If you are getting these logs from your corporate environment >> please >> > check >> > > with your security office first prior to posting them. >> > > >> > > ------------------- >> > > Thank you, >> > > >> > > James Sirota >> > > PPMC- Apache Metron (Incubating) >> > > jsirota AT apache DOT org >> > > >> > -- >> > >> > Jon >> > >> > >> > ________________________________________________________ >> > >> > The information contained in this e-mail is confidential and/or >> > proprietary to Capital One and/or its affiliates and may only be used >> > solely in performance of work or services for Capital One. The >> information >> > transmitted herewith is intended only for use by the individual or >> entity >> > to which it is addressed. If the reader of this message is not the >> intended >> > recipient, you are hereby notified that any review, retransmission, >> > dissemination, distribution, copying or other use of, or taking of >> any >> > action in reliance upon this information is strictly prohibited. If >> you >> > have received this communication in error, please contact the sender >> and >> > delete the material from your computer. >> > >> >> -- >> Nick Allen <[email protected]> >> >> ________________________________________________________ >> >> The information contained in this e-mail is confidential and/or >> proprietary to Capital One and/or its affiliates and may only be used >> solely in performance of work or services for Capital One. The information >> transmitted herewith is intended only for use by the individual or entity >> to which it is addressed. If the reader of this message is not the intended >> recipient, you are hereby notified that any review, retransmission, >> dissemination, distribution, copying or other use of, or taking of any >> action in reliance upon this information is strictly prohibited. If you >> have received this communication in error, please contact the sender and >> delete the material from your computer. > -- > > Jon ------------------- Thank you, James Sirota PPMC- Apache Metron (Incubating) jsirota AT apache DOT org
