Parameter translation

You are here:
< Back

Parameter translation in a SGBox pattern

This article explains how to configure the Translate parameter feature in SGBox.
When events are submitted, it is possible to display some parameters through their ‘aliases’. In this section you can specify the parameters and the corresponding aliases in a table and then associate it with a parameter defined in the event (pattern).
For example, you can convert the logon type parameter of the Windows EventID 4624, connection to the Windows server.

10 Remote Desktop
2 Interactive

or

0xc0000234 User logon with account locked
0xc000006e Unknown user name or bad password

It is also possible to upload files containing parameter > alias associations.
Note: the files must be text files containing for each line two strings separated by where the first string represents the parameter read by the events and the second the alias that will be displayed. For example

eth0<TAB>Internal network
eth1<TAB>WAN

The menu item for parameter translations can be found under SGBox>LM>Configuration>Pattern>Translate Parameters. To translate the parameters you will have to:
Open a new file by typing in the field “values” LogonType, “translate” the meaning of the code, after that save the file.

Once you have translated the values you will have to go to the modification of the pattern [SGAgent] (4624) Logon OK.

Under the item translate parameters click on the item “choose from the list” assigning the file, save the modification of the pattern.

Once you have done the above, the parameter “Logon type” with subsequent logs from the Classes/Patterns Analysis will no longer be displayed as logon type “10” but translated as “Remote Desktop”.