Getting Data In

Whitelist Query



I am ingesting file auditing logs to monitor changes to certain files. I am monitoring events 4663 and 4656 which have an Object Name that lists the file path of the accessed file. We are only concerned about .pdf, .doc, and .docx files and would like to filter out any other file type.

Currently I have the below whitelist in place but I am getting stuck trying to figure out how to only ingest certain file types (.pdf, .doc, and .docx) under the Object Name field within the log. 

whitelist = 4663,4656

Here is a log 4663 example (I bolded the part we want to filter): 

 An attempt was made to access an object.

Security ID: Test User
Account Name: Test User
Account Domain: Test
Logon ID: 12345567

Object Server: Security
Object Type: File
Object Name: D:\Data\Test\Test.pdf
Handle ID: 0x0552

Any help would be great. Thank you.

Labels (3)
0 Karma

Path Finder

You can send events that don't match one of those document types to the nullQueue using props/transforms like these:


[<name of relevant sourcetype>]




0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...