cancel
Showing results for 
Search instead for 
Did you mean: 

Aggregation for custom types

Hi,

What can be done in order to aggregate using the Destination_filename field that is not default indexed and it is not usable in the Aggregation settings for a specific parser rule? I'm trying to aggregate file audit events from Windows Security logs and I'd like to use "Source User" and "Destination_filename" for aggregation but "Destination_Filename" in not displayed in the drop-down menu.

Best regards,

Mihai

0 Kudos
6 Replies
abanaru
Level 11

Re: Aggregation for custom types

You can create a custom ASP rule with a new custom type created by you which is indexed. Unfortunately you will have to use an agent like Snare to send events via syslog because our SIEM Collector supports syslog only for Custom SQL module.

Another idea is to aggregate on Object but this way you won't have a full path of your file and this could lead to an incorrect aggregation.

0 Kudos

Re: Aggregation for custom types

Creating a custom ASP means rewriting the whole WMI parser and I really don't want to do that

I don't remember to see the Object field populated...only the destination_filename was written with data.

0 Kudos
abanaru
Level 11

Re: Aggregation for custom types

As for the WMI parser you don't have to write ASP rules for each Windows Event, just for the events which have a Destination_Filename inside.

Object field should be populated. Look into Signature ID 43-263046630. A closer look at the event in raw format will show that object is derived from Destination_filename.

0 Kudos

Re: Aggregation for custom types

Well, I've checked and Object is not populated. The signature ID I use is 43-263051450 (A network share object was checked to see whether the client can be granted desired access.). This is what I use to get the full details of a file accessed through a network share. The signature you specified doesn't trigger when I just open a file, only when I delete it or acreate a new file I think (I saw just a couple of events with that signature).

I don't know why but each file access generates 2 Windows file audit records in the scenario I'm using now and aggregation would save me reduce this to 1 as it should be.

0 Kudos
abanaru
Level 11

Re: Aggregation for custom types

Weird, in my case even for 43-263051450, Object field is populated.

By the way, Object is populated only when Destination_filename exists.

0 Kudos

Re: Aggregation for custom types

I have the latest version of SIEM, 9.6 MR7. What version do you have? Maybe the parser is changed...

0 Kudos