https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/560132#M159178 <P>Ha! My indexer had the Security stanza disabled. Enabled the Security Stanza for Windows_TA on the Indexer (have it on forwarder and search head as well) and Access=Delete shows up now for&nbsp;<SPAN>Event ID: 4656</SPAN></P> Mon, 19 Jul 2021 22:11:21 GMT irievibe 2021-07-19T22:11:21Z https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/241987#M71995 <P>Hello there, </P> <P>I'm trying to monitor file access on our file server (Windows 2012 R2) with Splunk Light but I can't quite figure out what to look at as there are just so many events which also seems not quite... intuitive?</P> <P>I have a list of things I want to achieve ordered by priority<BR /> 1. detect any file that has been deleted (gone from the server, not moved to a subdirectory or something)<BR /> 2. detect any modification made to a file <BR /> 3. detect any readings on files</P> <P>While I think these are pretty basic things on a file server, it seems to me that it is very difficult, especially to distinguish the events that are created. Here's a list of things I <STRONG>don't</STRONG> care about (yet):<BR /> 1. who accessed a share<BR /> 2. who listed a directory<BR /> 3. that it was checked that a user has permission for any handle or whatever</P> <P>So far I've gone through the trouble of modifying the local policies and ACL to get the folowing event-codes:<BR /> - 5145 (98%)<BR /> - 4656 (0,6%)<BR /> - 4663 (0,4%)<BR /> - 4660 (0,3%)<BR /> - 5140 (0,1%)<BR /> - 4659 (0,004%)<BR /> - 4719 (0,001%)</P> <P>Can anyone tell me how to achieve my goals with these events or hint me into directions?</P> Fri, 18 Nov 2016 08:14:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/241987#M71995 elindemann 2016-11-18T08:14:28Z https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/241988#M71996 <P>See if this helps</P> <PRE><CODE>1. detect any file that has been deleted (gone from the server, not moved to a sub-directory or something) Event Code=4663 AND Accesses= DELETE AND Object Type=File 2. detect any modification made to a file Event Code=4663 AND Accesses= WriteData AND Object Type=File 3. detect any readings on files <A href="http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/" target="test_blank">http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/</A> </CODE></PRE> Fri, 18 Nov 2016 23:51:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/241988#M71996 sundareshr 2016-11-18T23:51:43Z https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/560132#M159178 <P>Ha! My indexer had the Security stanza disabled. Enabled the Security Stanza for Windows_TA on the Indexer (have it on forwarder and search head as well) and Access=Delete shows up now for&nbsp;<SPAN>Event ID: 4656</SPAN></P> Mon, 19 Jul 2021 22:11:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/560132#M159178 irievibe 2021-07-19T22:11:21Z https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/560136#M159180 <P>arg, the appropriate search to find deleted files is:<BR />EventCode=4656 Accesses=DELETE</P><P>Accesses field was what I was having trouble with.&nbsp;</P> Mon, 19 Jul 2021 23:29:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-detect-when-files-are-deleted-modified-or-read-on-Windows/m-p/560136#M159180 irievibe 2021-07-19T23:29:48Z