I am trying to setup a report which will list all user activities in the F: drive. PFB my inputs.conf :
[WinEventLog://Security]disabled = 0index = fgfdstorestart_from = newestcurrent_only = 0evt_resolve_ad_obj = 1checkpointInterval = 15whitelist1 = 4663,4656renderXml = false
I have also prepared the below search query :
index=<indexname> Object_Name="F:*" NOT *.*tmp| eval folder = mvindex(split(lower(Object_Name),"\\"),3)| table _time, Account_Name, folder, Object_Name, Accesses| rename Object_Name as "File Path", Account_Name as UserName| dedup UserName, "File Path", Accesses| sort -_time
With this setup I am able to track activities like delete, modify, READ_CONTROL and create.However, I am still not getting records when my colleague opened a file in F: drive as a test run.
Also, I am not able to understand how I can tell if a file is being copied from F: drive without opening it.
My question is, 1. How can i track if a file is read but not modified ?2. How can i tell if a file is copied without ever opening it ?
I am new to Splunk and my questions may appear naïve and simple. Any help, guidance and suggestion is highly appreciated.