IBM Support

The Username Column for Microsoft Windows Events Contains Incorrect Values (Updated)

Flashes (Alerts)


Abstract

An issue has been identified where the Microsoft Windows Device Support Module (DSM) from the QRadar weekly auto update is incorrectly parsing the username field. Due to this issue, the Username column in the Log Activity tab can populate usernames with an incorrect user or the field might be N/A.

Content


IMPORTANT UPDATE: Administrators no longer need to uninstall or roll back the Microsoft Windows Security Event Log. A new version of the Microsoft Windows DSM is published on IBM Fix Central. Administrators can install the latest version instead of rolling back to an older version or they can run their weekly auto update. The corrected versions of the Microsoft Windows Security Event Log DSM were published in the weekly QRadar Automatic Update posted on Saturday

    Direct links
    These links are intended for administrators who do not use QRadar Automatic Updates.

    To verify the version installed
    1. Log in to the QRadar Console as an administrator.
    2. Click the Admin tab.
    3. Click the Auto Update icon.
    4. Click View Update History.
    5. Review the installed update list to verify that the updated Microsoft Windows Security Event Log is installed. For example:
    6. If the file is not listed in your Auto Update History, you can manually install the latest DSM from IBM Fix Central or click the Get New Updates button in the user interface to force a weekly auto update.

      For example, to manually install an RPM, copy the file to your QRadar Console and type a command based on your software version:
      • For QRadar 7.2: yum -y install DSM-MicrosoftWindows-7.2-20170803092035.noarch.rpm
      • For QRadar 7.3: yum -y install DSM-MicrosoftWindows-7.3-20170803132814.noarch.rpm


------- Original Information (See Update) -------
Urgency: IMPORTANT
APAR: IV98654
Scope: QRadar SIEM or QRadar Log Manager deployments with weekly auto updates enabled on software versions 7.3.x or 7.2.x, which ran an auto update on/after July 30th, 2017. This issue can also impact users who manually installed the Microsoft Windows Security Event Log DSM manually from IBM Fix Central.
Summary: A Microsoft Windows Security Event Log DSM parsing issue can prevent usernames from being interpreted correctly, which can cause correlation issues and unnecessary offenses to be generated.


Affected Device Support Modules (DSMs)
Two Microsoft Windows Security Event Log updates were provided in the QRadar weekly auto update that was published on July 30th. Any QRadar deployment installed with a DSM version below can experience the username parsing issue as described in this bulletin.

QRadar 7.2.x:
  • DSM-MicrosoftWindows-7.2-20170628111940.noarch.rpm
  • DSM-MicrosoftWindows-7.2-20170606094659.noarch.rpm

QRadar 7.3.x:
  • DSM-MicrosoftWindows-7.3-20170628152004.noarch.rpm
  • DSM-MicrosoftWindows-7.3-20170606134730.noarch.rpm


Description
The Microsoft Windows Security Event Log DSM was updated to allow users to suppress 'system accounts' that end in $ and 'originating computer' values to provide administrators with a method to configure how identity is set for username fields. In this update we altered the Microsoft Windows Security Event Log DSM to enable additional options that allowed parsing to be controlled for usernames that appear in the event payload.

The latest weekly auto update from Friday July 30th inadvertently introduces a parsing issue where the username values might display the wrong value or appear as N/A in the user interface. The stored event payload captured by QRadar is intact and contains the correct username values as provided by the Windows host. This issue can lead to rule correlation issues and unnecessary offenses to be generated.


Resolution
Remove/uninstall the Windows Security Event Log DSM that was part of the QRadar auto update and install the previous version to prevent a username parsing issue reported in APAR IV98654.

Microsoft Windows Security Event Log DSM version that correctly parse the username column for events:
  • For QRadar 7.2: DSM-MicrosoftWindows-7.2-20170322085925.noarch.rpm
  • For QRadar 7.3: DSM-MicrosoftWindows-7.3-20170322125925.noarch.rpm


    • Procedure
    This procedure guides administrators to remove and reinstall an older version of the Microsoft Security Event Log DSM.
    1. Using SSH, log in to the Console as the root user.
    2. To verify if the installed Windows RPM type: yum info DSM-MicrosoftWindows

      NOTE      : All QRadar appliance installs will generate a benign message to administrators when a yum command is used. For example: "This system is not registered with an entitlement server. You can use subscription-manager to register." This message can be ignored by administrators and the yum remove and install commands will complete successfully.

    3. Verify if the affected version is installed. If an older version is installed than what is listed as an affected RPM version, your event parsing is not impacted by this issue.
    4. To remove the affected version, type one of the following commands based on the RPM version reported from the yum info command in Step #2:
      For QRadar 7.2: yum remove DSM-MicrosoftWindows-7.2-20170606094659
      For QRadar 7.2: yum remove DSM-MicrosoftWindows-7.2-20170628111940
      For QRadar 7.3: yum remove DSM-MicrosoftWindows-7.3-20170606134730
      ForQRadar 7.3: yum remove DSM-MicrosoftWindows-7.3-20170628152004
    5. Type Y to remove the file when prompted. A list of files removed is displayed.
    6. Download the working RPMs in this step for your QRadar version.
      For QRadar 7.2: DSM-MicrosoftWindows-7.2-20170322085925.noarch.rpm
      For QRadar 7.3: DSM-MicrosoftWindows-7.3-20170322125925.noarch.rpm
    7. Copy the downloaded file to the QRadar Console.
    8. To install the rpm, type one of the commands below based on your QRadar version:
      For QRadar 7.2: yum install DSM-MicrosoftWindows-7.2-20170322085925.noarch.rpm
      For QRadar 7.3: yum install DSM-MicrosoftWindows-7.3-20170322125925.noarch.rpm
    9. Type Y to install the file when prompted.
    10. Log in to the QRadar Console as an administrator.
    11. Click the Admin tab.
    12. Click the Deploy Changes button.

      NOTE: A Full Deploy is NOT required for a DSM update.

Results
After the administrator updates the Microsoft Windows DSM, the issue is resolved. This rolls back the prior Microsoft Windows DSM to prevent the username parsing issue. Administrators can verify that the event payload user matching the information populated in the Log Activity tab for the Username column.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 September 2022

UID

swg22006837

Page Feedback