Getting Data In

Whitelist Query

ryanadamski
Engager

Hello,

I am ingesting file auditing logs to monitor changes to certain files. I am monitoring events 4663 and 4656 which have an Object Name that lists the file path of the accessed file. We are only concerned about .pdf, .doc, and .docx files and would like to filter out any other file type.

Currently I have the below whitelist in place but I am getting stuck trying to figure out how to only ingest certain file types (.pdf, .doc, and .docx) under the Object Name field within the log. 

whitelist = 4663,4656

Here is a log 4663 example (I bolded the part we want to filter): 

 An attempt was made to access an object.

Subject:
Security ID: Test User
Account Name: Test User
Account Domain: Test
Logon ID: 12345567

Object:
Object Server: Security
Object Type: File
Object Name: D:\Data\Test\Test.pdf
Handle ID: 0x0552

Any help would be great. Thank you.

Labels (3)
0 Karma

ericjorgensenjr
Path Finder

You can send events that don't match one of those document types to the nullQueue using props/transforms like these:

props.conf

[<name of relevant sourcetype>]
TRANSFORMS-nullobject=nullobject

transforms.conf

[nullobject]
REGEX=Object\sName:\s+[^\.]+\.(?:(?i)(?:pdf)|(?:doc)|(?:docx))$
DEST_KEY=queue
FORMAT=nullQueue

 

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...