Monitoring Splunk

How to identify/monitor a deny access action in Windows 2008 SP1 ?

williamhui
New Member

Hello,

With enabled all audit tracking in Windows Local Security Policy and the monitoring folders, I was able to identify the person (Account_Name) who is using an application (Process_Name) to do an action (Accesses) on specified folder/file (Object_Name).
However, I was unable to find whether my action is success or not. (The audit is success). Could anyone help on this ?

Many Thanks,
William

Tags (1)
0 Karma

acilia
New Member

"Reason for access" reporting is the ACEs in Win 2008 R2 provides the privileges on which the decision to allow or deny access to the object and also record the action allow or deny the occurrence of a particular event.

Therefore, the root cause is that Win 2008 does not support Reason for access which Win 2008 R2 supports.

0 Karma

keiichilam
Explorer

一定係你做錯。

0 Karma

LCM
Contributor

I would agree to that answer 😉

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...