topic AD request and file audit in Getting Data In https://community.splunk.com/t5/Getting-Data-In/AD-request-and-file-audit/m-p/391406#M69953 <P>Hello!</P> <P>I need to show audit access to a file in Windows, in the context of a certain group in the AD.</P> <P>For example: there is a file called file_for_test.doc. To view the latest data on the audit, I use the following code:</P> <PRE><CODE>host="hostname" sourcetype="WinEventLog" Object_Name="*file_for_test.doc" Accesses="ReadData*" | head 10000 | stats first(_time) as _time by Account_Name,Accesses,EventCode,Object_Name | table _time, Account_Name, Accesses, EventCode, Object_Name </CODE></PRE> <P>Result:</P> <PRE><CODE>_time Account_Name Accesses EventCode Object_Name 2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-25 10:59:32 User_2 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-25 08:41:39 User_3 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc </CODE></PRE> <P>But I need to display data only for users in the certain group AD. For example, only user 1, user 4.</P> <P>It's to get a list of these users:</P> <PRE><CODE>| ldapsearch domain=dom_name search="(&amp;(objectClass=group)(CN=group_name))" | ldapgroup | table member_name </CODE></PRE> <P>Result:</P> <PRE><CODE>member_name User_1 User_4 </CODE></PRE> <P>How do I combine 2 of these requests to get the following result:</P> <PRE><CODE>_time Account_Name Accesses EventCode Object_Name 2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc </CODE></PRE> Tue, 29 Sep 2020 21:22:25 GMT zek50618 2020-09-29T21:22:25Z AD request and file audit https://community.splunk.com/t5/Getting-Data-In/AD-request-and-file-audit/m-p/391406#M69953 <P>Hello!</P> <P>I need to show audit access to a file in Windows, in the context of a certain group in the AD.</P> <P>For example: there is a file called file_for_test.doc. To view the latest data on the audit, I use the following code:</P> <PRE><CODE>host="hostname" sourcetype="WinEventLog" Object_Name="*file_for_test.doc" Accesses="ReadData*" | head 10000 | stats first(_time) as _time by Account_Name,Accesses,EventCode,Object_Name | table _time, Account_Name, Accesses, EventCode, Object_Name </CODE></PRE> <P>Result:</P> <PRE><CODE>_time Account_Name Accesses EventCode Object_Name 2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-25 10:59:32 User_2 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-25 08:41:39 User_3 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc </CODE></PRE> <P>But I need to display data only for users in the certain group AD. For example, only user 1, user 4.</P> <P>It's to get a list of these users:</P> <PRE><CODE>| ldapsearch domain=dom_name search="(&amp;(objectClass=group)(CN=group_name))" | ldapgroup | table member_name </CODE></PRE> <P>Result:</P> <PRE><CODE>member_name User_1 User_4 </CODE></PRE> <P>How do I combine 2 of these requests to get the following result:</P> <PRE><CODE>_time Account_Name Accesses EventCode Object_Name 2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc 2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc </CODE></PRE> Tue, 29 Sep 2020 21:22:25 GMT https://community.splunk.com/t5/Getting-Data-In/AD-request-and-file-audit/m-p/391406#M69953 zek50618 2020-09-29T21:22:25Z Re: AD request and file audit https://community.splunk.com/t5/Getting-Data-In/AD-request-and-file-audit/m-p/391407#M69954 <P>Hello!<BR /> How to compose a query to search from array?</P> <P>I have a dropdown field, in which I choose the needed group.</P> <PRE><CODE>&lt;input type="dropdown" token="dd01"&gt; &lt;choice value="ad_group1"&gt;ad_group1&lt;/choice&gt; &lt;choice value="ad_group2"&gt;ad_group2&lt;/choice&gt; &lt;/input&gt; </CODE></PRE> <P>Then we get a table with a list of members of the group</P> <PRE><CODE>&lt;query&gt;| ldapsearch domain=dom_name search="(&amp;amp;(objectClass=group)(CN=$dd01$))" | ldapgroup | table member_name&lt;/query&gt; &lt;option name="drilldown"&gt;cell&lt;/option&gt; &lt;drilldown&gt; &lt;set token="mem_name"&gt;$row.member_name$&lt;/set&gt; </CODE></PRE> <P>How to compose a query "where" or any other that will search for an array of users in it?</P> <PRE><CODE>&lt;query&gt; host="hostname" sourcetype="WinEventLog" Object_Name="*filename.doc" Accesses="ReadData*" | head 1000 **| where Account_Name = $mem_name$** | table _time, Account_Name, Accesses, EventCode, Object_Name &lt;/query&gt; </CODE></PRE> Mon, 01 Oct 2018 02:54:06 GMT https://community.splunk.com/t5/Getting-Data-In/AD-request-and-file-audit/m-p/391407#M69954 zek50618 2018-10-01T02:54:06Z