Transaction ends and begins with same code- How to...

michaeler · ‎04-12-2021

I'm trying to differentiate between cd burns and cd read codes from Window Event Viewer using WinZipBurn. From what I've seen, a cd burn will generate event codes 1001, 1003, 1004, and then 1001 again in WinEventLog:Application. Reading from a cd will just generate code '1001.'

I'm trying to create a report that will determine if the sequence 1001, 1003, 1004, 1001 occurs within a 10 minute span. I'm not great with transactions so I'm sure there is an error. The following is what I tried:

sourcetype=WinEventLog:Application WinZipBurn
| transaction Account_Name maxspan=10m maxpause=3m
startswith=eval(EventCode="1001")
endswith=eval(EventCode="1001")

I don't think it can tell the difference between the first one and the last. In EventViewer, there is more info that says the cd is blank vs finalized but Splunk isn't pulling it over. 1003 and 1004 are error codes that I'm not sure what for but they only occur in the middle of a burn.

lenguyening · ‎03-03-2023

I came across this post during my searches for Roxio/WinZip SecureBurn event codes. From my research I have found that this is what each event code means, based off the additional text contained in the Windows Event log:

1001: Blank disk inserted
1003: Writing event started (can correlate with Windows System logs, EVID 133, look for 'cdrom' in the log)
1004: Disk burned, finalized. Key terms from data fields to look for are "Finalized,Closed session"

I have not been able to consistently replicate event 1001 at the beginning and end of the event, but I can consistently replicate event 1003 and 1004, so I've decided to focus on those.

Hope that helps someone!

Transaction ends and begins with same code- How to differentiate?

transaction

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector