Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to monitor Windows access control lists at the NTFS level

tgow
Splunk Employee
Splunk Employee
‎03-28-2011 08:51 PM

I want to build a security report that lists what directories and files a specified user account has access to by NTFS permission level (Read, Change, Full Control, etc.).

I am looking at running a scripted input using MS Powershell. Is this the right approach?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎03-28-2011 09:25 PM

"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine.

As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.

Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎03-28-2011 09:25 PM

"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine.

As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.

Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...