Splunk Enterprise

How to track read and copy activity in Windows folder ?

Arnab6641
Loves-to-Learn

Hello,

I am trying to setup a report which will list all user activities in the F: drive. PFB my inputs.conf :


[WinEventLog://Security]
disabled = 0
index = fgfdstore
start_from = newest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 15
whitelist1 = 4663,4656
renderXml = false

I have also prepared the below search query :

index=<indexname> Object_Name="F:*" NOT *.*tmp
| eval folder = mvindex(split(lower(Object_Name),"\\"),3)
| table _time, Account_Name, folder, Object_Name, Accesses
| rename Object_Name as "File Path", Account_Name as UserName
| dedup UserName, "File Path", Accesses
| sort -_time

 

With this setup I am able to track activities like delete, modify, READ_CONTROL and create.
However, I am still not getting records when my colleague opened a file in F: drive as a test run.

Also, I am not able to understand how I can tell if a file is being copied from F: drive without opening it.

My question is, 
1. How can i track if a file is read but not modified ?
2. How can i tell if a file is copied without ever opening it ?

I am new to Splunk and my questions may appear naïve and simple. Any help, guidance and suggestion is highly appreciated.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...