All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to track Hash changes of files with sysmon input (tracking change in results with daily reports)?

mbrownec
Explorer
‎04-27-2016 06:14 AM

Hello,

I've configured the "Add-on for Microsoft Sysmon" (https://splunkbase.splunk.com/app/1914/) and would like to understand how to produce a change report from one day to the next.

For instance, right now I run the following query per day and have a report delivered.

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 | dedup Hashes | table Hashes Image ParentImage

It isn't of much use, as this just tends to show the same information with every delivery (as it should).

What I'd like to do is produce a report that compares one day to the next and list differences. This would help answer questions like: Did the hash for c:\windows\system32\svchost.exe change? Is there an svchost.exe that has a different hash than one seen before?

I'd love to get to a point where I could have real time alerting:

  • when the Hash changes but Image stays the same (and correlate to a Windows Update within some period of time).
  • when a ParentImage changes, but Image stays the same (at least for system processes)

Are either of the above possible?

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎08-26-2016 02:06 AM

You could do a subsearch where your search and subsearch are basically the same thing with the subsearch having earlier and latest defined in it so you can time bound that search on a different subset of the data. From there, you would use the join type=left (or outer, they work the same way) .

It might look something like this:

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 earliest=-48h@h latest=-24h@h  | dedup Hashes | table Hashes Image ParentImage |join Hashes type=outer [sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 earliest=-24h@h latest=-0h@h | dedup Hashes | table Hashes Image ParentImage]

I will caveat this to say I haven't test this and you may need to rearrange the searches to get the outer join to return the data you want. In fact you may end up having a couple of searches to match the permutations, but hopefully this is a start.

Not sure if you were also looking to make that daily report a lookup but if so, you canuse the | outputlookup to write each day into a lookup and then use the | inputlookup to take the previous day value and compare to today's value.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...