Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculating file hashes and adding to events

grantlindley
New Member
‎07-26-2018 10:48 AM

Looking for the best way to implement the following use case:

Windows auditing is set up on a file share, so the addition of a file or an update to an existing file will create a Windows event 4663 with Accesses set to WriteData.

When splunk detects such an event, I want to calculate the hash of the file and add it to the event log so that it will be accessible via splunk searching. Alternatively, a new event could be created, as long as it has the timestamp, file path and name, and the hash value.

We have a simple splunk setup with a single splunk server and currently only universal forwarders. The file share is accessible from the splunk server, so the file hash could be calculated on the splunk server, itself. Alternatively, the hash could be calculated on the server with the file share, if that is easier.

I can't have a long time between the file addition/update and the calculation of the hash...less than a minute ideally.

Tags (1)
0 Karma
Reply

jplumsdaine22
Influencer
‎07-27-2018 05:02 AM

Do you want the hash of the file or the hash of the filename? The filename you can hash easily enough like | eval hash=md5(filename_field). There shouldn't be a need to index that - you can run it at search time.

If you want to calculate the hash of the file itself you'll need to do that with a scripted input - the universal forwarder by itself won't pull that from the event log (unless there is a windows event that contains that information)

There are most likely many answers on here about the best way to do malware monitoring - also check out the channel #security on the Splunk slack for more advice

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...