Trying to look through the _internal logs in realtime to fire an alert if anyone tries to delete files with
All searches I try will find the search itself (thus always firing).
In 4.3 -
You can do the realtime alert on a rolling window, which gives you the opportunity to set a custom condition. In the custom condition, test for _time != now()
"now" is the time that the search started...
I am not sure that this will work, but I think it should...
Maybe wasn't clear. I can do the search the problem is that when I search for someone deleting data, the search itself is found. So i woudl get alerted every time.
Put a crazy string in your search, like so:
index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw
This will prevent your search from showing up in the results.
You might want to refine it a big using a regex to look for
| delete, etc.
Thx. I was using _internal, audit seems to work better;
index=_audit "action=search" search="*delete'" | table user info search
This is the search that I am going to run, seems to work with the caviot that there may be some false positives, which I am ok with.
This is the search I'm running to monitor for delete attempts:
index=audit sourcetype=audittrail "|" "delete" NOT "search='search index=audit"
I'm searching the index of _audit and the sourcetype of auditrail for | and delete. Then so that my searches for delete activity do not generate alerts, I exclude searches of searches that include delete.