I'm working on a search over our Windows events to analyze the changes to permissions on files and directories:
index=wineventlog sourcetype="XmlWinEventLog:Security" (EventID=4670 OR EventID=4907) AND ObjectType="File"
A security descriptor (specifying the access rights) is part of these events and looks like this:
D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)
In the reports and alerts I want to translate this to something a bit more readable. I have a powershell script which does exactly this and I would like to incorporate this into my search. Is this possible and how can I do this?
Thanks in advance,
Coen
You will want to create a streaming search command. Here's the link to the docs on that: http://dev.splunk.com/view/python-sdk/SP-CAAAEU2
Note that this is only commonly done in Python, so I would recommend using Python to read and write to Splunk, and then you can invoke your powershell.