Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- AD request and file audit
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AD request and file audit
zek50618
New Member
09-24-2018
11:09 PM
Hello!
I need to show audit access to a file in Windows, in the context of a certain group in the AD.
For example: there is a file called file_for_test.doc. To view the latest data on the audit, I use the following code:
host="hostname" sourcetype="WinEventLog" Object_Name="*file_for_test.doc" Accesses="ReadData*" | head 10000 | stats first(_time) as _time by Account_Name,Accesses,EventCode,Object_Name | table _time, Account_Name, Accesses, EventCode, Object_Name
Result:
_time Account_Name Accesses EventCode Object_Name
2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-25 10:59:32 User_2 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-25 08:41:39 User_3 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
But I need to display data only for users in the certain group AD. For example, only user 1, user 4.
It's to get a list of these users:
| ldapsearch domain=dom_name search="(&(objectClass=group)(CN=group_name))" | ldapgroup | table member_name
Result:
member_name
User_1
User_4
How do I combine 2 of these requests to get the following result:
_time Account_Name Accesses EventCode Object_Name
2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zek50618
New Member
09-30-2018
07:54 PM
Hello!
How to compose a query to search from array?
I have a dropdown field, in which I choose the needed group.
<input type="dropdown" token="dd01">
<choice value="ad_group1">ad_group1</choice>
<choice value="ad_group2">ad_group2</choice>
</input>
Then we get a table with a list of members of the group
<query>| ldapsearch domain=dom_name search="(&(objectClass=group)(CN=$dd01$))" | ldapgroup | table member_name</query>
<option name="drilldown">cell</option>
<drilldown>
<set token="mem_name">$row.member_name$</set>
How to compose a query "where" or any other that will search for an array of users in it?
<query>
host="hostname" sourcetype="WinEventLog" Object_Name="*filename.doc" Accesses="ReadData*"
| head 1000
**| where Account_Name = $mem_name$**
| table _time, Account_Name, Accesses, EventCode, Object_Name
</query>
Get Updates on the Splunk Community!
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...
Alerting Best Practices: How to Create Good Detectors
At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...
