Windows: How can I incorporate a PowerShell script into my search?

coenvandijk — Wed, 09 Aug 2017 11:03:20 GMT

I'm working on a search over our Windows events to analyze the changes to permissions on files and directories:
index=wineventlog sourcetype="XmlWinEventLog:Security" (EventID=4670 OR EventID=4907) AND ObjectType="File"

A security descriptor (specifying the access rights) is part of these events and looks like this:
D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)

In the reports and alerts I want to translate this to something a bit more readable. I have a powershell script which does exactly this and I would like to incorporate this into my search. Is this possible and how can I do this?

Thanks in advance,
Coen

Re: Windows: How can I incorporate a PowerShell script into my search?

David — Thu, 10 Aug 2017 03:29:16 GMT

You will want to create a streaming search command. Here's the link to the docs on that: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Note that this is only commonly done in Python, so I would recommend using Python to read and write to Splunk, and then you can invoke your powershell.

topic Re: Windows: How can I incorporate a PowerShell script into my search? in Getting Data In

Windows: How can I incorporate a PowerShell script into my search?

Re: Windows: How can I incorporate a PowerShell script into my search?