Re: Windows: How can I incorporate a PowerShell sc...

coenvandijk · ‎08-09-2017

I'm working on a search over our Windows events to analyze the changes to permissions on files and directories:
index=wineventlog sourcetype="XmlWinEventLog:Security" (EventID=4670 OR EventID=4907) AND ObjectType="File"

A security descriptor (specifying the access rights) is part of these events and looks like this:
D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)

In the reports and alerts I want to translate this to something a bit more readable. I have a powershell script which does exactly this and I would like to incorporate this into my search. Is this possible and how can I do this?

Thanks in advance,
Coen

David · ‎08-09-2017

You will want to create a streaming search command. Here's the link to the docs on that: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

Note that this is only commonly done in Python, so I would recommend using Python to read and write to Splunk, and then you can invoke your powershell.

Windows: How can I incorporate a PowerShell script into my search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation