Security

How to monitor Windows access control lists at the NTFS level

tgow
Splunk Employee
Splunk Employee

I want to build a security report that lists what directories and files a specified user account has access to by NTFS permission level (Read, Change, Full Control, etc.).

I am looking at running a scripted input using MS Powershell. Is this the right approach?

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine.

As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.

Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine.

As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.

Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...