Need a query to check number file renames within a second.
Hello,
Can someone help me in creating a query to check number of file renames in a second or count of file renames in a second.
also i wondering if we can create a query to monitor files with following file extension.
\.enc|\.R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked| \.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com| \.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK| \.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com| \.dyatel@qq_com_ryp|\.nalog@qq_com| \.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry| \.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA| \.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted| \.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO
Thank you in advance.
-
Hi Dungar,
For your first question (counting when a file gets renamed) could you please provide us some insight into what your data looks like? What type of source are you trying to query? Are these OS event logs, or some custom application? Would you be able to provide any samples of what this even looks like in the logs?
For your second question (monitoring files with particular extensions), it would depend exactly what you're trying to monitor with those extensions. Do you just need to be alerted whenever those extensions show up in a log line? Is the filename/extension something you're already parsing with a field extraction rule?Thanks,
Nick
Customer Success, Sumo Logic -
Hi Nick,
Thanks for your reply.
1) I am looking forward to apache logs as well as windows event logs. I need count of files renamed for particular interval of time.
2)I am just thinking if this possible to monitor / create a dashboard for above file extensions. only if above file extension are matched then only entry should showed into dashboard or logs.
Let me know if you need more information.
-
Hi Dungar,
For 1) I'm not sure I understand what the files that are being renamed would show up in your Apache logs. Could you elaborate on what files you're referring to? For Windows, I believe there are event logs to help identify this, but I'll have to do a little more research and get back to you.
For 2) this depends on your log sources that contain these extensions. Is this coming from a custom app log or something else?Thanks!
Nick
Customer Success, Sumo Logic -
Hi Dungar,
I'm so sorry for the delay here. I just sent you an email separately to get a little more information about your particular collectors so that I can help you out further.
I'll post back here once we have a solution for everyone else's benefit.
Thanks,
Nick
Customer Success, Sumo Logic
Please sign in to leave a comment.
Comments
6 comments