Getting Data In

Whitelist Query

ryanadamski
Loves-to-Learn Lots

Hello,

I am ingesting file auditing logs to monitor changes to certain files. I am monitoring events 4663 and 4656 which have an Object Name that lists the file path of the accessed file. We are only concerned about .pdf, .doc, and .docx files and would like to filter out any other file type.

Currently I have the below whitelist in place but I am getting stuck trying to figure out how to only ingest certain file types (.pdf, .doc, and .docx) under the Object Name field within the log. 

whitelist = 4663,4656

Here is a log 4663 example (I bolded the part we want to filter): 

 An attempt was made to access an object.

Subject:
Security ID: Test User
Account Name: Test User
Account Domain: Test
Logon ID: 12345567

Object:
Object Server: Security
Object Type: File
Object Name: D:\Data\Test\Test.pdf
Handle ID: 0x0552

Any help would be great. Thank you.

Labels (3)
0 Karma

ericjorgensenjr
Path Finder

You can send events that don't match one of those document types to the nullQueue using props/transforms like these:

props.conf

[<name of relevant sourcetype>]
TRANSFORMS-nullobject=nullobject

transforms.conf

[nullobject]
REGEX=Object\sName:\s+[^\.]+\.(?:(?i)(?:pdf)|(?:doc)|(?:docx))$
DEST_KEY=queue
FORMAT=nullQueue

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...