• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

More Filters in SIEM

icarusicarus

Hello,

We are using USM 5.0.2  and I was wanting to generate a report for a specific set of conditions.  I created a saved view but wanted to understand the advanced filtering.

Data Sources = Ossec
Signature contains "integrity"

For the Filename field I would like to be able to search for any changes to our J:\ drive specifically since we need alert a separate team if something changes on that drive, as opposed to C:\ or D:\ which would be just operations team.

I tried filename like J:\*  and  filename = J:\*   but no results are found.

Is this going to work?  or is my search logic wrong?

Thanks!!
Tagged:

Share post:

Best Answer

  • edited June 2015 Answer ✓

    For anyone else having the same issue.  With the help of support we found the root cause:

    When looking for specific drives use   "filename like J:"

    Use like instead of = so that it looks for more than the drive letter condition

    Use only J:  not J:\  or J:\*   ossec writes the logs with a J:\ or a J:/  so it would not match on all conditions. 

    Just a heads up.

Answers

  • silly answer maybe, but have you set up your ossec agent to look at the files on the j: drive?
  • Hi Chris,

    Yeah.  I can seem them in the SIEM.  I just want to be able see only the J:\ in my reports instead of all the drives.
  • icarus,

    Do you have the raw logs from one of the events that you can share? If the Logs on the USM contain the drive letter, you should be able to create a raw log search, and then create a report from that saved search which can be shared with the responsible party.
  • edited June 2015
    Hi kcoe,

    Here is the view that I am able to generate.  but I cannot limit it to just the J:\  It always picks up the C:\ and others.

    image

  • icarus,

    It looks like the drive letter will be part of the raw Logs on all of your entries. you should be able to do a raw log search to data='checksum' data='J:\' and narrow down the raw log search to just those logs.

    If this works, you can save this search, and follow the instructions in this document to build a report:

  • hmm..  still not getting it to work.  Returns 0 results.

    I can get close with the SIEM, but as soon as I add the parameter filename="J:\"  it breaks.  

    With the Raw logs if I add datasource=ossec-syscheck data=File  i can see the list of changes but as soon as I add data=J:\ i get a blank sreen.  When I remove data=J:\ the list comes back.   

    Very frustrating...  

  • edited June 2015
    Here is a sample log that has been scrubbed.

    AV - Alert - 1434007721 --> RID 554 RL 7 RG ossec syscheck RC File added to the system. USER None SRCIP None HOSTNAME (XXXXX-DB) 10.x.x.x->syscheck LOCATION (XXXXXX-DB) 10.x.x.x->syscheck EVENT [INIT]New file E:\Sites/XXXXXXXXXXX.dll added to the file system.[END]
  • icarus,

    From that it looks like you could query as shown below. This is working on my install.

    datasource-ossec-syscheck data='E:\'

    datasource-ossec-syscheck data='E:\sites'


    Once you narrow that down, you can save the query and use that with the doc listed above to create the report.
  • Very strange.  I run it exactly as you have it and I get a blank screen.  I'd share a screenshot, but the last one got nuked..  

    If there is no data it usually says there are no results, but in this case its just blank..   

    I think I will have to contact support to determine if something is broken on my install.  
Sign In or Register to comment.