Search another article?
Parameter translation in a SGBox pattern
This article explains how to configure the Translate parameter feature in SGBox.
When events are submitted, it is possible to display some parameters through their ‘aliases’. In this section you can specify the parameters and the corresponding aliases in a table and then associate it with a parameter defined in the event (pattern).
For example, you can convert the logon type parameter of the Windows EventID 4624, connection to the Windows server.
| 10 | Remote Desktop |
| 2 | Interactive |
or
| 0xc0000234 | User logon with account locked |
| 0xc000006e | Unknown user name or bad password |
It is also possible to upload files containing parameter > alias associations.
Note: the files must be text files containing for each line two strings separated by where the first string represents the parameter read by the events and the second the alias that will be displayed. For example
eth0<TAB>Internal network
eth1<TAB>WAN
The menu item for parameter translations can be found under SGBox>LM>Configuration>Pattern>Translate Parameters. To translate the parameters you will have to:
Open a new file by typing in the field “values” LogonType, “translate” the meaning of the code, after that save the file.
Once you have translated the values you will have to go to the modification of the pattern [SGAgent] (4624) Logon OK.
Under the item translate parameters click on the item “choose from the list” assigning the file, save the modification of the pattern.
Once you have done the above, the parameter “Logon type” with subsequent logs from the Classes/Patterns Analysis will no longer be displayed as logon type “10” but translated as “Remote Desktop”.