A Loki query to compare HandleId field

hack3rcon · February 26, 2025, 12:15pm

Hello,
I want to write a Loki query that if the handle ID for ID 4663 is the same as the handle ID for ID 4660, then it will extract the hostname, username, file or folder name, and date and time.

I did:

{job="windows-security"} 
| json 
| event_id =~ "4660|4663"

The outputs are as follows:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4660,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-26T11:46:05.0893258Z","eventRecordID":147564,"execution":{"processId":4,"threadId":3084,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x4078b\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x2764\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x1370\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='TransactionId'\u003e{00000000-0000-0000-0000-000000000000}\u003c/Data\u003e","message":"An object was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x4078B\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tHandle ID:\t0x2764\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x1370\r\n\tProcess Name:\tC:\\Windows\\explorer.exe\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"}

And:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4663,"version":1,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-26T11:46:05.0893190Z","eventRecordID":147563,"execution":{"processId":4,"threadId":3084,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x4078b\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='ObjectType'\u003eFile\u003c/Data\u003e\u003cData Name='ObjectName'\u003eC:\\Users\\Grafana\\Desktop\\Test\\LLL\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x2764\u003c/Data\u003e\u003cData Name='AccessList'\u003e%%1537\r\n\t\t\t\t\u003c/Data\u003e\u003cData Name='AccessMask'\u003e0x10000\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x1370\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ResourceAttributes'\u003eS:AI\u003c/Data\u003e","message":"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x4078B\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\\LLL\r\n\tHandle ID:\t\t0x2764\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1370\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tDELETE\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x10000"}

The data related to the event_data section is as follows:

<Data Name='SubjectUserSid'>S-1-5-21-2104788189-4142446361-3889847816-1001</Data><Data Name='SubjectUserName'>Grafana</Data><Data Name='SubjectDomainName'>DESKTOP-1PNH21K</Data><Data Name='SubjectLogonId'>0x4078b</Data><Data Name='ObjectServer'>Security</Data><Data Name='HandleId'>0x2764</Data><Data Name='ProcessId'>0x1370</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data>

Any idea welcomed.

Thank you.

Topic		Replies	Views
Writing a query to extract Event ID 4663 Grafana Loki	2	19	February 11, 2025
Parse data from windows events log and extract lables from "event_data" Grafana Loki loki , promtail	3	969	June 20, 2024
Extract fields using regex Grafana Loki loki	4	384	October 30, 2024
Parse error at line 4, col 9: syntax error: unexpected IDENTIFIER Grafana Loki	1	23	February 15, 2025
A question about if eq Grafana Loki	0	6	March 5, 2025

A Loki query to compare HandleId field

Related topics