Technical Tip: How to Edit WinOSXmlParser to Parse the ‘Target User’ for Event ID 4729

The parser 'WinOSXmlParser', located at ADMIN -> Device Support -> Parsers, processes logs containing Event ID 4728 as follows:

<when test="$winEventId IN '4746, 4751, 4761, 4728, 4732, 4756, 4785, 4787'">
<setEventAttribute attr="groupID">$_targetSid</setEventAttribute>
<when test="exist _memberName">
<setEventAttribute attr="_targetUser">$_memberName</setEventAttribute>
</when>
</when>

To include Event ID 4729 (for member removal) in the 'Target User' field, follow these steps:

1. Go to ADMIN -> Device Support -> Parsers, locate 'WinOSXmlParser', and disable it.
2. Select the disabled parser and create a clone.
3. In the cloned parser, locate the lines handling event IDs and update them as follows:

<when test="$winEventId IN '4746, 4751, 4761, 4728, 4729, 4732, 4756, 4785, 4787'">

4. Select ‘Validate’ to ensure the parser is correctly formatted.
5. Use the test logs to verify the updated parser by selecting ‘Test’.
6. If the test is successful, select ‘Back’ and save the parser.
7. Enable the modified WinOSXmlParser parser.
8. Confirm the changes by testing with live logs from the Windows environment.

This update will now parse the 'Target User' field for Event ID 4729, allowing to see removed members in the FortiSIEM logs.