IBM Support

Windows event ID 4776 does not update the assets with the correct identity information (APAR IJ12129)

Troubleshooting


Problem

Administrators who collect Microsoft Windows events reported an issue where event ID 4776 does not update the Windows assets with the correct identity information from the event payload. This technical note describes the identity issues related to APAR IJ12129 and how administrators can apply a workaround to resolve this asset issue.

Symptom

The most common symptom of this issue is where event ID 4776 continually updates the Windows domain controller with incorrect asset information.  The incorrect identity information causes assets to merge (vortexing) and a single Windows host accumulates IP addresses, netbios addresses, MAC addresses, and hostname information that is not associated to the correct physical appliance.
 

Cause

A parsing issue is known where WinCollect events sent to QRadar® for Windows® event ID 4776 can display the incorrect Identity IP or hostname information, leading to asset merge issues. Event ID 4776 is an event where "The domain controller attempted to validate the credentials for an account" using NTLM. However, these events are incorrectly associated to the domain controller, instead of the member servers or workstations. As event ID 4776 contains an identity flag as it is a log in event. Identity information is intended to update the asset details for the correct Windows host with the information from the event payload. When identity information is incorrect, it causes QRadar to incorrectly merge asset details such as the IP address information in to the domain controller asset, instead of the asset for the member workstation.

Environment

QRadar® systems with the following DSM versions installed:
  • QRadar 7.4.x: DSM-MicrosoftWindows-7.4-20200310175915.noarch.rpm or earlier
  • QRadar 7.3.x: DSM-MicrosoftWindows-7.3-20200310175935.noarch.rpm or earlier

    Note: Administrators on QRadar 7.2.8 or earlier versions must upgrade to QRadar 7.3.0 or later to receive an RPM update that contains a resolution for this issue. IBM no longer publishes software for QRadar 7.2.x versions. For more information, see the QRadar Support LifeCycle document.

Diagnosing The Problem

Compare the raw event payload to event ID 4776 to determine whether the Identity IP matches the Source Workstation or Originating Computer value:
 
  • Correct: The Identity IP field in the QRadar event details contains the value from the Source Workstation field for event ID 4776. 
  • Incorrect: The Identity IP field in the QRadar event details contains the value from the Originating Computer field for event ID 4776.

Optional
Administrators can review their System Notifications to determine if QRadar is merging in asset data incorrectly from event ID 4776. As the domain controller accumulates asset information, QRadar identifies the number of asset details being added to a single host and creates as system notification to alert administrators. To determine the frequency of this issue, administrators can run a search in QRadar with the QID for the system notification to determine which assets in their network might be merging data incorrectly.
 
QID Description

38750137

 The system detected asset profiles that exceed the normal size threshold

Resolving The Problem

When the Source Workstation value is used the identity IP address populates with the correct source assets and prevents erroneous data. Administrators who experience the issue described in APAR IJ12929 can use the DSM Editor to enable a unique parsing condition for event ID 4776 to ensure that the Originating Computer identity value is ignored. When the Disable Originating Computer Identity For Event ID 4776 property is active (true), the Source Workstation value is used as identity when parsing event ID 4776.

Before you begin
  • The DSM Editor changes in the user interface requires QRadar 7.4.0. If you are on an earlier version, such as QRadar V7.3.3 or earlier, you must use the command line instructions.
  • This procedure requires administrator access to update DSM Editor parameters. Administrators might require a scheduled maintenance window to complete this procedure depending on your corporate change policy.
  • Verify DSM-MicrosoftWindows-7.4-20200330182503.noarch.rpm or later is installed on the QRadar Console.
 
Parsing parameters
The following parameters are available to administrators to define how identity parsing occurs for Windows events:
 
  1. Disable Originating Computer Identity - Defines whether the Originating Computer field from the Windows event payload is used to generate identity IP address information for assets.
    • When disabled (image 2959), the Originating Computer value from the event payload is used to generate identity IP data for Windows events. The default value is disabled for all administrators with DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm or later.
    • When enabled (image 2958), the IP address is ignored for identity for all Windows events. This option disables the collection of the IP address for identity information. Users can be notified that the Identity IP field in the Log Activity event details screen would display N/A in the user interface for all Windows events when Disable Originating Computer Identity is enabled.
  2. Disable Originating Computer Identity For Event ID 4776 - Defines whether event ID 4776: 'The domain controller attempted to validate the credentials for an account' uses the Originating Computer or the Source Workstation value from the Windows event payload to generate identity data.
    • When enabled (image 2958), the Source Workstation value from the event payload is used to generate identity for event ID 4776. The default value is true for all administrators with DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm or later to ensure that the member workstation values populate the asset model correctly.
    • When disabled (image 2959), the Originating Computer IP address is used to populate identity values for Windows event ID 4776. Users might experience issues where domain controller assets can accumulate large numbers of IP addresses that belong to member workstations when this parameter is set to false.

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the DSM Editor icon.
  4. In the Select Log Source Type field, type Microsoft Windows Security Event Log.
    image 2935
  5. Click Select.
  6. Click the Configuration tab.
  7. Click Display DSM Parameters Configuration, to enable advanced parsing parameters.
    image 2917
  8. Confirm Disable Originating Computer Identity For Event ID 4776 is enabled.
    image 2941
  9. Click Save.

    Results
    After the save is complete, administrators can review incoming Windows to ensure that event details screen for event ID 4776 includes correct information. To search for event IDs quickly, add a search filter for Identity equals True and Event ID is 4776. Administrators can compare the Source Workstation value from the event payload to confirm the IP matches the Identity IP address field for event ID 4776. If the Identity IP field matches the Originating Computer field of the event payload, confirm the settings in the DSM Editor or contact QRadar support for assistance.

Procedure for QRadar 7.3.3 and earlier versions

Administrators who use QRadar 7.3.3 and DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm might be required to adjust how identity is handled for Windows events. New parameters to define how identity is parsed for Windows event ID 4776 is included in DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm and later.  If an administrator has identity update issues on their domain controllers or need to disable asset updates, a command-line change can be applied on each QRadar host that parses Windows events.

Before you begin
  • This procedure requires root access and administrators to restart the ecs-ec service on QRadar appliances. Administrators might require a scheduled maintenance window depending on your corporate change policy.
  • Verify your Microsoft Windows Security Event Log DSM version. For example, type: yum info DSM-MicrosoftWindows-7.3*.
    IMPORTANT: If the RPM version is earlier than DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm, the administrator cannot use the disableOriginatingComputerIdentityFor4776 parameter. Before you continue, install the latest Microsoft Windows Security Event Log DSM on the Console appliance or complete an QRadar auto update.
Parsing parameters
The following parameters are available to administrators to define how identity parsing occurs for Windows events:
 
  1. disableOriginatingComputerIdentity - Defines whether the Originating Computer field from the Windows event payload is used to generate identity IP address information for assets.
    • When disableOriginatingComputerIdentity=false, the Originating Computer value from the event payload is used to generate identity IP data for Windows events. The default value is false for all administrators with DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm or later.
    • When disableOriginatingComputerIdentity=true, the IP address is ignored for identity for all Windows events. This option disables the collection of the IP address for identity information. Users should be notified that the Identity IP field in the Log Activity event details screen would display N/A in the user interface for all Windows events when disableOriginatingCustomerIdentity is set to false.
  2. disableOriginatingComputerIdentityFor4776 - Defines whether event ID 4776: 'The domain controller attempted to validate the credentials for an account' uses the Originating Computer field from the Windows event payload to generate identity data.
    • When disableOriginatingComputerIdentityFor4776=true, the Source Workstation value from the event payload is used to generate identity for event ID 4776. The default value is true for all administrators with DSM-MicrosoftWindows-7.3-20200330182418.noarch.rpm or later to ensure that the member workstation values populate the asset model correctly.
    • When disableOriginatingComputerIdentityFor4776=false, the Originating Computer IP address is used to populate identity values for Windows event ID 4776. Users might experience issues where domain controller assets can accumulate large numbers of IP addresses that belong to member workstations when this parameter is set to false.

Procedure
This procedure is only required if administrators need to change how identity is handled when parsing Windows events.
  1. Use SSH to log in to IBM QRadar as a root user.
  2. Open an SSH session to the QRadar appliance receiving WinCollect events.
  3. Navigate to the /opt/qradar/conf/ directory.
  4. Use a text editor to create a file named: WindowsAuthServer.properties
  5. To override the default parsing behavior, add a parameter to the WindowsAuthServer.properties file:
    1. disableOriginatingComputerIdentity=true
      Warning: disableOriginatingComputerIdentity=false can disable Identity IP data for Windows events.
    2. disableOriginatingComputerIdentity=false
    3. disableOriginatingComputerIdentityFor4776=true
    4. disableOriginatingComputerIdentityFor4776=false
      Warning: disableOriginatingComputerIdentityFor4776=false can cause asset merge issues in QRadar for Windows domain controllers.
  6. Save your changes.
  7. To restart services, type: systemctl restart ecs-ec
  8. Repeat this procedure on each QRadar appliance that receives events from WinCollect agents or uses the MSRPC protocol.

    Results
    After the save is complete, administrators can review incoming Windows to ensure that event details screen for event ID 4776 includes correct information. To search for event IDs quickly, add a search filter for Identity equals True and Event ID is 4776. Administrators can compare the Source Workstation value from the event payload and it should match the Identity IP address field to confirm that the values parse correctly. If the Identity IP field matches the Originating Computer field of the event payload, confirm the value in opt/qradar/conf/WindowsAuthServer.properties file and verify the latest DSM installed. If you continue to experience issues, contact QRadar support for assistance.
     
Notice: Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000CbY6AAK","label":"QRadar->Events->DSM Editor"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3;7.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 April 2020

UID

ibm16193437

Page Feedback