ICDx

 View Only
  • 1.  Missing MD5 hash value from file integrity monitoring when event comes through Broadcom ICDx

    Posted Jun 30, 2020 10:16 AM
    We used to use a file monitor utility called Rsyslog to monitor the DCS logs files written locally.  These log files would contain a MD5 hash value.  Now when the same log comes through DCS and ICDx pulls the event from the SQL database, there are no more MD5 hash values for the same types of events.  Here are some sample logs from the file monitor and then from ICDx.  We are forwarding events from the ICDx server to an Rsyslog server (syslog) and then to a Splunk instance.

    The events from the file monitor:

    Jun 12 11:28:26 xxx.xxx.xxx.xxx FileMonitor RealSource:"domain controller" Event ID:     DRGW,476269,2020-06-12 11:27:39.000 Z-0000,W,59,R,9625db194b07e6221b7ca0be9c25f26e,REG_CrashOnAuditFail,CrashOnAuditFail_Changed,,NT AUTHORITY\SYSTEM,,C:\Windows\system32\svchost.exe,860,S,\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\CrashOnAuditFail,SET VALUE,,

    The events as forwarded by ICDx:

    {"device_os_type_id":100,"user_name":"NT AUTHORITY\\SYSTEM","timezone":0,"product_data":{"operation":"SET VALUE","system_state":"R"},"type":"DRGW","seq_num":476269,"uuid":"b0c66130-ac9f-11ea-c000-000000168008","ref_uid":106149235,"product_ver":"6.6.0.772","device_name":"domain controller","collector_device_ip":"xxx.xxx.xxx.xxx","status_id":1,"category_id":5,"id":2,"product_uid":"1F4A6425-878A-482C-9F4D-F6BC49DED2CA","device_time":1591961259000,"policy":{"name":"Domain_Controller_Detection","uid":31,"state_ids":[5],"rule_uid":"REG_CrashOnAuditFail","rule_name":"CrashOnAuditFail_Changed"},"remediated":false,"log_name":"dedicated/DCS_Logs/601f16c0-8984-11ea-d43b-000000000001","device_os_ver":"Server 2012 R2","type_id":8006,"logging_device_post_time":1591961261917,"version":"1.0","product_name":"Symantec Data Center Security","collector_device_name":"icdx server name","log_time":1591961245379,"device_ip":"xxx.xxx.xxx.xxx","actor":{"pid":860,"file":{"name":"svchost.exe","path":"C:\\Windows\\system32\\svchost.exe","folder":"C:\\Windows\\system32"}},"device_uid":1572,"collector_uid":"601f16c0-8984-11ea-d43b-000000000001","event_id":8006002,"reg_value_result":{},"collector_name":"NBN-DCS","severity_id":3,"device_alias_name":"domain controller","time":1591961259000,"reg_value":{"path":"\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\CrashOnAuditFail"}}

    No filters have been applied to the collector or forwarder on ICDx.  

    Any idea why the MD5 hash is being pulled?

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------


  • 2.  RE: Missing MD5 hash value from file integrity monitoring when event comes through Broadcom ICDx

    Broadcom Employee
    Posted Jun 30, 2020 11:44 AM
    Currently, this is not collected via ICDx. There is a table on page 184 of the 1.4.1 ICDx Admin Guide that shows what is collected from DCS. If you are wanting this data, then bring up a feature request via normal procedures.

    ------------------------------
    Kris Gainsforth
    Solutions Engineer
    Broadcom
    ------------------------------



  • 3.  RE: Missing MD5 hash value from file integrity monitoring when event comes through Broadcom ICDx

    Posted Jun 30, 2020 06:41 PM
    I appreciate the prompt response.  When I reviewed the release notes for version 1.4.1 it says that with regards to DCS, "ICDx now captures all fields from DCSFile Watch events."  Would this include the MD5 hash value?

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------



  • 4.  RE: Missing MD5 hash value from file integrity monitoring when event comes through Broadcom ICDx

    Broadcom Employee
    Posted Jul 06, 2020 11:55 AM
    Hi Mike,
    No, unfortunately the MD5 hash value is still not available in 1.4.1. It could be some new column/field that DCS has added and ICDx is not aware of it.

    Which version of DCS do you use?

    Thanks,
    Roumen

    ------------------------------
    Roumen
    SED, Broadcom
    ------------------------------



  • 5.  RE: Missing MD5 hash value from file integrity monitoring when event comes through Broadcom ICDx

    Posted Jul 06, 2020 11:56 AM
    We are using DCS 6.8.2.

    ------------------------------
    Mike
    WaveRider Security
    CA
    ------------------------------