I think I'm close on this, but I'm missing something;
I have events forwarding to my indexer from MS SQL Audit via WinEventLog:Application. A number of fields are not being automatically extracted, so I'm relying on rex to pull out the values I need for an alert. There is a large, multi-line field called "Message" which contains all the values I need. Within "Message" are other values like object_name, database_name, user_name, etc. I have no trouble pulling the values I need into a search and creating a table, but I'm not clear how to use a rex-returned value as a condition to trigger an alert.
The alert is only required if object_name:table1 or object_name:table2. Also if the "statement value is alter or create or delete, etc.
Partial Search String (outputs values to a table - not shown)
index=SQLAUDIT ComputerName=SERVER12 | search Message statement:alter OR statement:create OR statement:delete OR statement:drop OR statement:exec OR statement:insert OR statement:select OR statement:update | eval "Date - Time"=strftime(_time,"%F - %T") | rex "object_name:(?<TableID>.*)" | rex "statement:(?<AlertType>.+?)[\r]" | rex "database_name:(?<DBN>.*)"
Data Sample
Message=Audit event: event_time:2017-06-14 12:58:53.7376885
sequence_number:1
action_id:SL
succeeded:true
permission_bitmask:1
is_column_permission:true
session_id:79
server_principal_id:2
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:1201906778
class_type:U
session_server_principal_name:DOMAIN\USER1234
server_principal_name:DOMAIN\USER1234
server_principal_sid:010500000000000567890093a2a241345661e2f43170a32821c0000
database_principal_name:public
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:SERVER12\DBMSSQL
database_name:DB_NAME1
schema_name:db19
object_name:table_1
statement:select top 100 a.* , b.*
from tableClosed a,
table_1 b
where a.flngAccountKey = b.flngAccountKey
and a.fstrCaseType = 'TRPHD'
... View more