Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. AgentX

AgentXKB v1.4.2

Avatar Prasuna Dahal
December 02, 2024 11:24
Follow

AgentXKB comprises knowledge base components including compiled normalizers, dashboards and search templates. It offers compiled normalizers for both Linux and Windows systems, along with dashboards for monitoring and compliance purposes such as Endpoint Compliance, File Integrity Management and Security Configuration Assessment. The search templates for AgentX and Browser Extension Investigation make it a comprehensive solution for security monitoring and analysis.

Release Date: December 2, 2024

Release Version: 1.4.2

Supported On: Logpoint v7.1.0 and later

Download: AgentXKB_1.4.2.pak

SHA256: df6d32345afcbe62f640b1c4649bbdc4271997656a74454381691bc6d9709a72

Documentation: AgentX guide

Enhancements

Description

Issue ID

Reference ID

The mapping of the following fields is updated:

Raw Log Field Normalized Field Event ID Compiled Normalizer
eventdata{product Name} product 5007 AgentXWindowsCompiledNormalizer
eventdata{product Version} product_version 5007 AgentXWindowsCompiledNormalizer
eventdata_new_value new_value 5007 AgentXWindowsCompiledNormalizer
eventdata_old_value old_value 5007 AgentXWindowsCompiledNormalizer

KB-24371, KB-23336

 

The fields eventdata_access_granted and eventdata_access_removed are now mapped to the privilege field.

KB-24576

 

The taxonomy of normalized fields is updated for AgentX Windows Security Audit.

  • eventdata_new_target_user_name → new_user

  • eventdata_old_target_user_name → target_user

  • eventdata_home_directory → home_directory

  • eventdata_home_path → home_path

  • eventdata_profile_path → path

  • eventdata_script_path → script_path

  • eventdata_user_parameters → parameter

  • eventdata_user_workstations → workstation

KB-24615

83081

The taxonomy of normalized fields is updated for AgentXWindowsCompiledNormalizer.

  • eventdata_nASIPv4Address → nas_ipv4_address

  • eventdata_clientIPAddress → client_address

  • eventdata_nASPortType → nas_port_type

  • eventdata_eAPType → eap_type

  • eventdata_nASIdentifier → nas_identifier

  • eventdata_nASPort → nas_port

  • log_file_cleared_client_process_id → process_id

  • log_file_cleared_client_process_start_key → process_start_key

  • log_file_cleared_subject_logon_id -> logon_id

PLUG-13149 , KB-24600

 

Bug Fixes

Description

Issue ID

Reference ID

In event_id 5007, “//” in paths was not parsed properly.

KB-23336

83096

The fields user, user_id and caller_user_id were not properly normalized by AgentXUnixCompiledNormalizer.

KB-23905

80329

For event_id 7000, eventdata fields were not normalized, resulting in the event source name not being collected.

KB-24539

 

For event_id 4656, file related events didn’t have labels, resulting in collecting logs without human-readable values.

KB-24612

 

In Oracle DB (Windows), specific fields like user, action, RETCODE, and OBJName were not normalized.

KB-22296

77681

Event logs from MS Exchange were not normalized correctly.

KB-21548

76056

Logs from Ubuntu were not normalized correctly.

KB-21548

-

When the UNIX template was improperly configured, AgentX UNIX logs were not normalized.

PLUG-13223

86018

Past Releases

AgentXKB v1.4.0

Release Date: February 23, 2024

Release Version: 1.4.0

Supported On: Logpoint v7.1.0 and later

Download: AgentX_KB_1.4.0.pak

SHA256: 842c252bbef75e45ecdd68289628d91ac45486281e61ec9ff645549bc826929b

Documentation: AgentX guide

Enhancements

Description

Issue ID

Reference ID

Mapped the following fields to maintain consistency:

Raw Log Field Normalized Field Event ID

subjectUserName

 user

4727, 4728, 4729, 4730,

4732, 4733, 4735, 4737

subjectUserSid

 user_id

targetUserName

 group
targetSid group_id
SID History sid_history 4738
KB-23106, KB-23157 78007, 79182

In AgentXUnixCompiledNormalizer:

  • Renamed the record field to record_id for correct mapping of eventRecordID field of raw ASP.Net logs. 
  • Parsed the message field with event ID 1309 for raw ASP.Net logs indicating a security or compliance incident like Denial-of-Service (DoS) attack.
  • NginX logs are now normalized. 
 KB-22933, KB-21992 78681, 76935, 79188

Bug Fixes

The following issues are fixed:

Description

Issue ID

Some Debian logs collected via AgentX were not properly normalized by AgentXUnixCompiledNormalizer.

KB-23168
When users configured default as source type for DNS logs, the event_source field was missed in the normalized log by AgentXWindowsCompiledNormalizer.  KB-22194, KB-22398, KB-23750, KB-22818
When an invalid source type was configured for OSQuery logs, the event_source field was missing in normalized log by AgentXWindowsCompiledNormalizer. 
The subjectUserName field value of a raw WindowsSecurityAuditing log was missing in the normalized user field by AgentXWindowsCompiledNormalizer.
The raw DHCP logs with an empty decoder field were not correctly normalized by AgentXWindowsCompiledNormalizer. KB-23109, KB-23082
The full_log field of raw DHCP logs was not correctly normalized by AgentXWindowsCompiledNormalizer.
The target_user field was missing in the normalized WindowsSecurityAuditing log with event ID 4767. KB-22426

Some DNS logs from a custom log-path were not properly normalized by AgentXWindowsCompiledNormalizer. 

KB-23135
The message field of raw SMB server logs was not properly normalized by AgentXWindowsCompiledNormalizer. KB-21895
Some Windows and Unix logs were not properly normalized by AgentXWindowsCompiledNormalizer and AgentXUnixCompiledNormalizer.  KB-22899

 

 

AgentXKB v1.2.2

Release Version: 1.2.2

Release Date: October 20, 2023

Supported On: Logpoint v7.1.0 and later

Download: AgentXKB_1.2.2.pak

SHA256: 4a6520e631a0a446cbc884a75da507633e874960effbaa19a54da9ab8b4f7826

Documentation: AgentX guide

Enhancements

Description

 Issue ID Reference ID
AgentXUnixCompiledNormalizer and AgentXWindowsCompiledNormalizer are now compliant with CNDP. KB-22120 -
AgentXWindowsCompiledNormalizer now normalizes ExchangeMT logs.  KB-20746

73714, 74120, 

76458, 76915
The agentx_label_event_source field is mapped as agentx_event_source in AgentXUnixCompiledNormalizer and AgentXWindowsCompiledNormalizer. KB-22155 -
Added a new Benchmark Summary widget in LP_AgentX - Security Configuration Assessment dashboard. KB-19236 -

Bug Fixes

The following issues are fixed:

Description

 Issue ID Reference ID
Some Windows, Linux and MSSQL logs were not properly normalized by AgentXWindowsCompiledNormalizer.  KB-22194, KB-22415 77451
The log_ts field of IIS logs was not correctly normalized by AgentXWindowsCompiledNormalizer.  KB-22503 -
Some fields of normalized MSSQL logs were dropped by AgentXWindowsCompiledNormalizer.  KB-22491 -
The log_ts field of DNS logs was not correctly normalized by AgentXWindowsCompiledNormalizer.  KB-22375 76113, 77678 

The data field of raw IIS logs was truncated before being normalized by AgentXWindowsCompiledNormalizer. 

 KB-22418 -

AgentXKB v1.2.0

Release Date: Aug 16 2023

Supported On: Logpoint v7.1.0 and later

Download: AgentXKB_1.2.0.pak

SHA256: 33e145ed66ebf638baa7c487c21ffae03d0c221b1b96f90494cffd4ea60dd156

Bug Fixes

The following issues are fixed:

Description

Issue ID

Reference ID

The following logs were not properly normalized by AgentXWindowsCompiledNormalizer.

Log Type

Event ID
Windows 7036

PowerShell

 800

WindowsSysmon

 13
KB-21152, KB-21213 -

The event_type field was missing in the normalized WindowsSecurityAuditing logs from AgentX with event IDs 4624, 4625, 4648, 4768, 4769, 4770, 4771, 4776, 4656, 4663 and 4664.

 KB-21513 75514 

The TargetImage and product fields were incorrectly mapped as target_image and application for AgentX Windows Sysmon events with event IDs 8, 1 and 7 by AgentXWindowsCompiledNormalizer.

 KB-21256 -
The details field was not properly parsed by AgentXWindowsCompiledNormalizer for AgentX Windows Sysmon events with event ID 13.  KB-21567 -
Some DNS and DHCP logs from a custom log-path were not properly normalized by AgentXWindowsCompiledNormalizer. 

KB-20742

73714, 

74120, 

74703

Custom logs were not properly normalized by AgentXWindowsCompiledNormalizer when custom normalization package was also used.

KB-20989

 74510, 74670 

 

AgentXKB v1.1.2

Release Version: 1.1.2

Supported On: Logpoint v7.1.0 and later

Download: AgentXKB_1.1.2.pak

SHA256: df31b09220972ab59ae6347784ef6a8cc98739b19daee1040871b3127af854f3

Bug Fix

Description

Issue ID

Reference ID
AgentXKB was unable to properly normalize osquery logs if its installation path was changed.  KB-20981 -

 

AgentXKB v1.1.0

Release Version: 1.1.0

Supported On: Logpoint v7.1.0 and later

Download: AgentXKB_1.1.0.pak

SHA256: 539f0f07f5ce9fcce246dbfd2741df582567394623698e1c1a2b6795e48e08db

 

Support

If you have any questions or require assistance, create a support ticket.

Best regards,

Logo_Dark.png

Comments

Article is closed for comments.

Related articles

  • AgentX Manager v1.4.5
  • AgentX Windows Installer v1.4.2
  • AgentX Server v1.4.2
  • Logpoint Agent Collector
  • Universal Normalizer
Was this article helpful?
0 out of 0 found this helpful
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.