6 Replies Latest reply on Nov 17, 2016 3:50 AM by mihai.olteanu

    Aggregation for custom types

    mihai.olteanu

      Hi,

      What can be done in order to aggregate using the Destination_filename field that is not default indexed and it is not usable in the Aggregation settings for a specific parser rule? I'm trying to aggregate file audit events from Windows Security logs and I'd like to use "Source User" and "Destination_filename" for aggregation but "Destination_Filename" in not displayed in the drop-down menu.

      Best regards,

      Mihai

        • 1. Re: Aggregation for custom types
          abanaru

          You can create a custom ASP rule with a new custom type created by you which is indexed. Unfortunately you will have to use an agent like Snare to send events via syslog because our SIEM Collector supports syslog only for Custom SQL module.

           

          Another idea is to aggregate on Object but this way you won't have a full path of your file and this could lead to an incorrect aggregation.

          • 2. Re: Aggregation for custom types
            mihai.olteanu

            Creating a custom ASP means rewriting the whole WMI parser and I really don't want to do that

            I don't remember to see the Object field populated...only the destination_filename was written with data.

            • 3. Re: Aggregation for custom types
              abanaru

              As for the WMI parser you don't have to write ASP rules for each Windows Event, just for the events which have a Destination_Filename inside.

               

              Object field should be populated. Look into Signature ID 43-263046630. A closer look at the event in raw format will show that object is derived from Destination_filename.

              • 4. Re: Aggregation for custom types
                mihai.olteanu

                Well, I've checked and Object is not populated. The signature ID I use is 43-263051450 (A network share object was checked to see whether the client can be granted desired access.). This is what I use to get the full details of a file accessed through a network share. The signature you specified doesn't trigger when I just open a file, only when I delete it or acreate a new file I think (I saw just a couple of events with that signature).

                I don't know why but each file access generates 2 Windows file audit records in the scenario I'm using now and aggregation would save me reduce this to 1 as it should be.

                • 5. Re: Aggregation for custom types
                  abanaru

                  Weird, in my case even for 43-263051450, Object field is populated.

                  By the way, Object is populated only when Destination_filename exists.

                  • 6. Re: Aggregation for custom types
                    mihai.olteanu

                    I have the latest version of SIEM, 9.6 MR7. What version do you have? Maybe the parser is changed...