SIEM & UEBA

 View Only
Expand all | Collapse all

Passwordstate parser?

  • 1.  Passwordstate parser?

    Posted Oct 21, 2022 07:15 AM
    Hello everyone,

    I would like to ask for assistance regarding a Passwordstate parser. Has anyone already worked on it?

    One of the major challenge I am having is the lack of Passwordstate syslog documentation. I only has been able to find this page that contains all reports types that can be run within Passwordstate.
    Passwordstate Compliance Reporting

    The other problem is related to the logs formats, they are not coming in a Json format. I have not been able to find a common field to be use it as EventType.

    Passwordstate Syslog samples:

    <110>10-17-2022 21:25:43 192.168.1.5 Passwordstate: First Last (domain\First.Last) retrieved the Password record '<Name> Management API Secret' from the Password List '<Name>' via a API search. (Title = <Name> Management API Secret, UserName = 46666641fyu4hjfi4ji4jifj4ijhf4i4). Client IP Address = 192.168.1.10. PasswordListID = 1025, PasswordID = 8445

    <110>10-17-2022 21:25:34 192.168.1.5 Passwordstate: First Last (domain\First.Last) retrieved the Password record 'ABC' (UserName = 9542574) from the Password List 'Name DTK' to form fill the web site https://www.abc.com/client/. Client IP Address = 192.168.1.80. PasswordListID = 6987, PasswordID = 7412

    <110>10-17-2022 21:25:15 192.168.1.5 Passwordstate: First Last (domain\First.Last) copied the UserName for 'BCD' (Name BCD) to the clipboard(Title = Name DTK, UserName = 652352). Client IP Address = 192.168.1.85. PasswordListID = 7414, PasswordID = 3698

    <110>10-19-2022 09:14:18 192.168.1.5 Passwordstate: Automatic logoff for user from the IP Address '192.168.1.200'. Reporting of the actual user is not possible, due to expired session. The Client IP Address may also not be accurate if using Proxy Servers or Load Balancers. Client IP Address = 192.168.1.200

    <110>10-18-2022 16:37:26 192.168.1.5 Passwordstate: A scheduled Account Heartbeat check failed to validated the password for account abc (\Database Administrators\ABC Accounts) of Account Type 'MS SQL Server' on Host ServerName.domain.com. Error = Failed to validate the password for the SQL account 'abc' on Host 'ServerName.domain.com'. UserName or Password is incorrect. Client IP Address = 192.168.1.23. PasswordListID = 7458, PasswordID = 98547

    Is it possible to create a parser using multiples Cases? one for each event type? - I may need around 100 cases
    Could be any performances issues of doing so?
    <switch>
    <case1>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[]]></regex>
    </collectAndSetAttrByRegex>
    </case>

    <case2>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[]]></regex>
    </collectAndSetAttrByRegex>
    </case>

    <case3>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[]]></regex>
    </collectAndSetAttrByRegex>
    </case>
    ..
    ...

    <case100>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[]]></regex>
    </collectAndSetAttrByRegex>
    </case>

    </switch>

    Do you have any alternative about generating an EventType automatically?


  • 2.  RE: Passwordstate parser?

    Posted Oct 22, 2022 10:13 AM
    Absolutely your method for these kinds of logs is correct...

    You would just create as many case statements as needed.  In some cases you might set two or more cases to the same eventType as below.

    <switch>
    <case>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[Passwordstate: blah blah this is the first type of login  ]]></regex>
    </collectAndSetAttrByRegex>
    <setEventAttribute attr="eventType">PasswordState-Login-Success</setEventAttribute>
    </case>

    <case>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[Passwordstate: blah blah blah blah this is the second type of login ]]></regex>
    </collectAndSetAttrByRegex>
    <setEventAttribute attr="eventType">PasswordState-Login-Success</setEventAttribute>
    </case>

    <case>
    <collectAndSetAttrByRegex src="$_body">
    <regex><![CDATA[Passwordstate: this is a login failure]]></regex>
    </collectAndSetAttrByRegex>
    <setEventAttribute attr="eventType">PasswordState-Login-Failure</setEventAttribute>
    </case>
    </Switch>


    Im not sure your samples have a need for this, but the way to create dynamic event types would be via the combineMsgId function...
    <setEventAttribute attr="eventType">combineMsgId("PasswordState-", $someVariable)</setEventAttribute>