Question & Answer
Question
Why is it that some Windows events display N/A in the Username field in QRadar when the event has a name value pair?
Cause
Windows events that list N/A in the Username field are typically system-generated events, which do not belong to human beings, but to the local computer or a system account. QRadar is designed to populate the username values as N/A for these events.
Answer
QRadar does not populate usernames for Windows events that are system-generated as human beings are not generating the events. Parsing is completed this way by design to help administrators filter events generated by human beings from computer or system accounts. Another benefit of this change is that computer or system users do not update or populate assets with the last logged in user when the source is a system account.
The following values are considered by QRadar to be system-generated usernames. When the Windows Security Event Log DSM encounters these values within a Windows event, the value is populated as N/A in the Username column.
For example, the following is an event where the username would be listed as N/A:
Jun 07 IP ADDRESS AgentDevice=WindowsLog AgentLogFile=Security Source=Security Computer=DDD1QQ2 User=SYSTEM Domain=Test EventID=537 EventIDCode=537 EventType=16 EventCategory=2 RecordNumber=130834 TimeGenerated=1223405120 TimeWritten=1223405120 Message=3 Kerberos Kerberos - 0xC000023D 0xC0000144 - - - - - IP ADDRESS 3165
The following values are considered by QRadar to be system-generated usernames. When the Windows Security Event Log DSM encounters these values within a Windows event, the value is populated as N/A in the Username column.
- System
- Username$
- Management
- Unknown
- Dash (-)
- NETWORK
- NETWORK SERVICE
- Name
Note: The Windows DSM also considers variations in capitalization and also spelling differences for events generated in the following group 1 languages: English, Chinese (simplified and traditional), Japanese, Korean, French, German, Italian, Spanish, and Portuguese (Brazil).
For example, the following is an event where the username would be listed as N/A:
Jun 07 IP ADDRESS AgentDevice=WindowsLog AgentLogFile=Security Source=Security Computer=DDD1QQ2 User=SYSTEM Domain=Test EventID=537 EventIDCode=537 EventType=16 EventCategory=2 RecordNumber=130834 TimeGenerated=1223405120 TimeWritten=1223405120 Message=3 Kerberos Kerberos - 0xC000023D 0xC0000144 - - - - - IP ADDRESS 3165
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 August 2021
UID
swg21678793