Splunk Enterprise

How to track read and copy activity in Windows folder ?

Arnab6641
Loves-to-Learn

Hello,

I am trying to setup a report which will list all user activities in the F: drive. PFB my inputs.conf :


[WinEventLog://Security]
disabled = 0
index = fgfdstore
start_from = newest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 15
whitelist1 = 4663,4656
renderXml = false

I have also prepared the below search query :

index=<indexname> Object_Name="F:*" NOT *.*tmp
| eval folder = mvindex(split(lower(Object_Name),"\\"),3)
| table _time, Account_Name, folder, Object_Name, Accesses
| rename Object_Name as "File Path", Account_Name as UserName
| dedup UserName, "File Path", Accesses
| sort -_time

 

With this setup I am able to track activities like delete, modify, READ_CONTROL and create.
However, I am still not getting records when my colleague opened a file in F: drive as a test run.

Also, I am not able to understand how I can tell if a file is being copied from F: drive without opening it.

My question is, 
1. How can i track if a file is read but not modified ?
2. How can i tell if a file is copied without ever opening it ?

I am new to Splunk and my questions may appear naïve and simple. Any help, guidance and suggestion is highly appreciated.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...