Alerting

Can I set an alert in splunk where the event id is 4663, with this object specifications?

akim08
Engager

Object:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume54\Tax\Confidential
Handle ID: 0x1110
Resource Attributes: S:AI

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @akim08,
could you share an example of your logs?
you have to extract the fields in a multiline log (Windows eventlogs), I use anothen eventcode and my windows is in italian, but the approach is the correct one:
e.g. if you have something like this

02/11/2020 04:23:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Informazioni
ComputerName=DESKTOP-KBVMP9Q
TaskCategory=Logon
OpCode=Informazioni
RecordNumber=206682
Keywords=Controllo riuscito
Message=Accesso di un account riuscito.

Soggetto:
    ID sicurezza:       S-1-5-18
    Nome account:       DESKTOP-KBVMP9Q$
    Dominio account:        WORKGROUP
    ID accesso:     0x3E7

and you want to extract ID_sicurezza, Nome_account and ID_accesso, you shuld use a multiline regex like this:

(?ms)ID sicurezza:\s+(?<ID_sicurezza>[^ ]*)\s*Nome account:\s+(?<Nome_account>[^ ]*)Dominio.*\s+ID accesso:\s+(?<ID_accesso>[^ ]*)

that you can test at https://regex101.com/r/KCuFj4/1

Ciao.
Giuseppe

View solution in original post

akim08
Engager

alt text

I tried creating a search like this:

sourcetype=WinEventLog:Security EventCode=4663 0x1110 "S:AI" "\Device\HarddiskVolume54\Tax\Confidential" File

I think there might be a better way.

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akim08,
could you share an example of your logs?
you have to extract the fields in a multiline log (Windows eventlogs), I use anothen eventcode and my windows is in italian, but the approach is the correct one:
e.g. if you have something like this

02/11/2020 04:23:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Informazioni
ComputerName=DESKTOP-KBVMP9Q
TaskCategory=Logon
OpCode=Informazioni
RecordNumber=206682
Keywords=Controllo riuscito
Message=Accesso di un account riuscito.

Soggetto:
    ID sicurezza:       S-1-5-18
    Nome account:       DESKTOP-KBVMP9Q$
    Dominio account:        WORKGROUP
    ID accesso:     0x3E7

and you want to extract ID_sicurezza, Nome_account and ID_accesso, you shuld use a multiline regex like this:

(?ms)ID sicurezza:\s+(?<ID_sicurezza>[^ ]*)\s*Nome account:\s+(?<Nome_account>[^ ]*)Dominio.*\s+ID accesso:\s+(?<ID_accesso>[^ ]*)

that you can test at https://regex101.com/r/KCuFj4/1

Ciao.
Giuseppe

akim08
Engager

@gcusello can you take a look?

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akim08,
try this:

(?ms)Subject:.*Logon ID:\s+(?<Logon_ID>[^ ]*)\s+Object.*Object Type:\s+(?<Object_Type>\w+)\s+Object Name:\s+(?<Object_Name>[^ ]*).*Resource Attributes:\s+(?<Resource_Attributes>[^ ]*)\s+ Process Information:

(if you can share the example in text I can use regex101 to show you the regex).
When you have the fields you can create your filters.

Ciao.
Giuseppe

0 Karma

akim08
Engager

Hey @gcusello, Do i have to do it this way? I just extracted the fields and they are already there, i.e. Object_Name, Object_Type. But when I try Object_Name = C:\Windows\System32\dhcp\j50tmp.log .....it will not search for that item.

I can search other items such as:
Object_Type = File
Object_Server = Security

But not the Object_Name.

I am trying to create an alert where It will alert me with those categories in mind.

Thanks.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akim08,
did you tried to use quotes?

Object_Name = "C:\Windows\System32\dhcp\j50tmp.log"

otherwise try

Object_Name = "C:\\Windows\\System32\\dhcp\\j50tmp.log"

Ciao.
Giuseppe

0 Karma

akim08
Engager

@gcusello i now used quotes, and it seems to work.

I am wondering if this will work here as my search request and save as an alert:

sourcetype=WinEventLog:Security EventCode=4663 Object_Type=File Object_Server=Security Object_Name="\Device\HarddiskVolume54\Tax\Confidential" Handle_ID=0x1110 Resource_Attributes="S:AI"

This is my final answer...haha

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akim08,
I'm happy for you!
if you're satisfied, please, acceèt and/or upvote it for the other people of Community.

Ciao and Next Time.
Giuseppe

0 Karma

akim08
Engager

@gcusello i believe the double \ worked!

Now I am hoping that this is the correct syntax to search an alert such as this one.

0 Karma

akim08
Engager

i did this:

sourcetype=WinEventLog:Security EventCode=4663 Handle_ID=0x8dc host=PR-MA49DHCP01 Object_Type=File Object_Server=Security

0 Karma

gcusello
SplunkTrust
SplunkTrust

You can use your idea using the Splunk full text search features but it's very slow, so you should see how many events you have.

Ciao.
Giuseppe

0 Karma

akim08
Engager

@gcusello i see, so doing it that way will slow things down

0 Karma

akim08
Engager

Please see below gcusello

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...