Getting Data In

Windows: How can I incorporate a PowerShell script into my search?

New Member

I'm working on a search over our Windows events to analyze the changes to permissions on files and directories:
index=wineventlog sourcetype="XmlWinEventLog:Security" (EventID=4670 OR EventID=4907) AND ObjectType="File"

A security descriptor (specifying the access rights) is part of these events and looks like this:

In the reports and alerts I want to translate this to something a bit more readable. I have a powershell script which does exactly this and I would like to incorporate this into my search. Is this possible and how can I do this?

Thanks in advance,

0 Karma

Splunk Employee
Splunk Employee

You will want to create a streaming search command. Here's the link to the docs on that:

Note that this is only commonly done in Python, so I would recommend using Python to read and write to Splunk, and then you can invoke your powershell.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.