What can be done in order to aggregate using the Destination_filename field that is not default indexed and it is not usable in the Aggregation settings for a specific parser rule? I'm trying to aggregate file audit events from Windows Security logs and I'd like to use "Source User" and "Destination_filename" for aggregation but "Destination_Filename" in not displayed in the drop-down menu.
You can create a custom ASP rule with a new custom type created by you which is indexed. Unfortunately you will have to use an agent like Snare to send events via syslog because our SIEM Collector supports syslog only for Custom SQL module.
Another idea is to aggregate on Object but this way you won't have a full path of your file and this could lead to an incorrect aggregation.
Creating a custom ASP means rewriting the whole WMI parser and I really don't want to do that
I don't remember to see the Object field populated...only the destination_filename was written with data.
As for the WMI parser you don't have to write ASP rules for each Windows Event, just for the events which have a Destination_Filename inside.
Object field should be populated. Look into Signature ID 43-263046630. A closer look at the event in raw format will show that object is derived from Destination_filename.
Well, I've checked and Object is not populated. The signature ID I use is 43-263051450 (A network share object was checked to see whether the client can be granted desired access.). This is what I use to get the full details of a file accessed through a network share. The signature you specified doesn't trigger when I just open a file, only when I delete it or acreate a new file I think (I saw just a couple of events with that signature).
I don't know why but each file access generates 2 Windows file audit records in the scenario I'm using now and aggregation would save me reduce this to 1 as it should be.