Splunk Search

Events 4656 and 4663

adrianmiron
Explorer

Hello,

My intention is to create a report, based on the log below, that tells me when a new object (file or folder) was created in the "D:\Folder A\Folder B"
location. I also need to find out when an object was deleted. I have object access auditing turned on and that part works.

I can see events in windows event logs when a file or folder gets added or removed. My problem is reporting on those events in splunk.

This is the query i am currently using:

Folder A* "EventCode=4656" OR "EventCode=4663" OR Accesses="DELETE" OR WriteData | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created", Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action

With the query above I can get data about objects being removed, but not about objects being added. The reason, is because the field Accesses has multiple values and first value is always DELETE. Even when an object is added or created.

If I do a straight query on Folder A* "EventCode=4656", Splunk shows the Accesses field on the left hand side, and only displays one value., DELETE.

I have been fighting with this for a few weeks, and although I feel I am very close I can't seem to make it happen.

Your help is already greatly appreciated and I thank you and in advance.


LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4656

EventType=0

Type=Information

ComputerName=computer1

TaskCategory=File System

OpCode=Info

RecordNumber=15524727

Keywords=Audit Success

Message=A handle to an object was requested.

Object:

Object Server:      Security
Object Type:        File
Object Name:        D:\Folder A\Folder B\New folder
Handle ID:      0x4a4

Process Information:

Process ID:     0x208c
Process Name:       C:\Windows\explorer.exe

Access Request Information:

Transaction ID:     {00000000-0000-0000-0000-000000000000}
Accesses:       DELETE
            READ_CONTROL
            WRITE_DAC
            SYNCHRONIZE
            ReadData (or ListDirectory)
            WriteData (or AddFile)
            ReadEA
            WriteEA
            ReadAttributes
            WriteAttributes

Access Reasons:     DELETE: Unknown or unchecked
            READ_CONTROL:   Unknown or unchecked
            WRITE_DAC:  Unknown or unchecked
            SYNCHRONIZE:    Unknown or unchecked
            ReadData (or ListDirectory):    Unknown or unchecked
            WriteData (or AddFile): Unknown or unchecked
            ReadEA: Unknown or unchecked
            WriteEA:    Unknown or unchecked
            ReadAttributes: Unknown or unchecked
            WriteAttributes:    Unknown or unchecked

Access Mask:        0x17019b

02/11/2014 08:49:25 AM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4663

EventType=0

Type=Information

ComputerName=computer1
TaskCategory=File System

OpCode=Info

RecordNumber=15524662

Keywords=Audit Success

Message=An attempt was made to access an object.

Object:

Object Server:  Security
Object Type:    File
Object Name:    D:\Folder A\Folder B\New folder
Handle ID:  0x558

Process Information:
Process ID: 0x208c
Process Name: C:\Windows\explorer.exe

Access Request Information:
Accesses: DELETE

Access Mask:    0x10000
0 Karma
1 Solution

lukejadamec
Super Champion

You can try using the append command:

`Folder A* "EventCode=4663" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action| append [search Folder A* "EventCode=4656" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action]

I left the case statement in because you have a third value, so I left that one in both.

View solution in original post

0 Karma

jbala1
Engager

I am having a similar problem as the original poster. Splunk will always log the first Result in the Accesses or Access_Reasons list. Is there a way to list all Accesses or Access Reasons?

0 Karma

dstaulcu
Builder

Just came across this thread after noticing that full access lists for object access events exceeded field extraction limits.

My workaround will be to define extractions for each class of access listing specific words I am concerned about the return of.

EventCode="4656" source=WinEventLog:security splunkforwarder 
| rex max_match=0 "(?<change_level_accesses>(DELETE|WRITE_DAC|WRITE_OWNER|Set service configuration information|Stop the service|Pause or continue the service))"
| table _time host change_level_accesses
0 Karma

lukejadamec
Super Champion

Sorry for the delay.

Have you tried this?:

("EventCode=4663" NOT $ NOT Accesses="WriteData")
OR
("EventCode=4656" NOT $ NOT Accesses="DELETE")
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z")
| eval Action=case(Accesses="READ_CONTROL","Created", Accesses="WriteData", "Created", Accesses="DELETE", "Deleted")
| Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type"
| table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action

If it works, then you should be able to drill down.

0 Karma

lukejadamec
Super Champion

You can try using the append command:

`Folder A* "EventCode=4663" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action| append [search Folder A* "EventCode=4656" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action]

I left the case statement in because you have a third value, so I left that one in both.

0 Karma

adrianmiron
Explorer

Sorry I had to answer it in two different comments, because of the number of characters limitation.

0 Karma

adrianmiron
Explorer

"Created", Acceesses="WriteData", "Created") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action]

0 Karma

adrianmiron
Explorer

This is the one that gave me the results I wanted.

"EventCode=4663" NOT $ NOT Accesses="WriteData"| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action| append [search "EventCode=4656" NOT $ NOT Accesses="DELETE" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL",

0 Karma

lukejadamec
Super Champion

Everyone calls me Luke. Drill down is a problem with appended searches.
Post your working search... I'll bet they can be combined into a non appended search.

adrianmiron
Explorer

Thank you for your help Luke. I hope i'm not offending you by calling you Luke. The results of the last modification is exactly what I want. However, it creates a different problem. Because of the append, I am not able to drill down on an event in the report.

0 Karma

lukejadamec
Super Champion

I updated the search to make more sense based on what you just said. What you'll need to do is focus on the 4656 search only. Get that search to generate the results you want, and then append it as I've done in the example above.

0 Karma

adrianmiron
Explorer

Thank you lukejadamec. Unfortunately that did not work. My Action field is still reporting Delete for every result. Event 4663 only has the value Delete for Accesses field. Event 4656 has everything you see in my log. The Action field should be reporting either Created or Delete depending on wether the event has WriteData (or AddFile) value for the Accesses field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...