Hello,
My intention is to create a report, based on the log below, that tells me when a new object (file or folder) was created in the "D:\Folder A\Folder B"
location. I also need to find out when an object was deleted. I have object access auditing turned on and that part works.
I can see events in windows event logs when a file or folder gets added or removed. My problem is reporting on those events in splunk.
This is the query i am currently using:
Folder A* "EventCode=4656" OR "EventCode=4663" OR Accesses="DELETE" OR WriteData | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created", Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action
With the query above I can get data about objects being removed, but not about objects being added. The reason, is because the field Accesses has multiple values and first value is always DELETE. Even when an object is added or created.
If I do a straight query on Folder A* "EventCode=4656", Splunk shows the Accesses field on the left hand side, and only displays one value., DELETE.
I have been fighting with this for a few weeks, and although I feel I am very close I can't seem to make it happen.
Your help is already greatly appreciated and I thank you and in advance.
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=computer1
TaskCategory=File System
OpCode=Info
RecordNumber=15524727
Keywords=Audit Success
Message=A handle to an object was requested.
Object:
Object Server: Security
Object Type: File
Object Name: D:\Folder A\Folder B\New folder
Handle ID: 0x4a4
Process Information:
Process ID: 0x208c
Process Name: C:\Windows\explorer.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: DELETE: Unknown or unchecked
READ_CONTROL: Unknown or unchecked
WRITE_DAC: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Unknown or unchecked
ReadEA: Unknown or unchecked
WriteEA: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Unknown or unchecked
Access Mask: 0x17019b
02/11/2014 08:49:25 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=computer1
TaskCategory=File System
OpCode=Info
RecordNumber=15524662
Keywords=Audit Success
Message=An attempt was made to access an object.
Object:
Object Server: Security
Object Type: File
Object Name: D:\Folder A\Folder B\New folder
Handle ID: 0x558
Process Information:
Process ID: 0x208c
Process Name: C:\Windows\explorer.exe
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
You can try using the append command:
`Folder A* "EventCode=4663" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action| append [search Folder A* "EventCode=4656" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action]
I left the case statement in because you have a third value, so I left that one in both.
I am having a similar problem as the original poster. Splunk will always log the first Result in the Accesses or Access_Reasons list. Is there a way to list all Accesses or Access Reasons?
Just came across this thread after noticing that full access lists for object access events exceeded field extraction limits.
My workaround will be to define extractions for each class of access listing specific words I am concerned about the return of.
EventCode="4656" source=WinEventLog:security splunkforwarder
| rex max_match=0 "(?<change_level_accesses>(DELETE|WRITE_DAC|WRITE_OWNER|Set service configuration information|Stop the service|Pause or continue the service))"
| table _time host change_level_accesses
Sorry for the delay.
Have you tried this?:
("EventCode=4663" NOT $ NOT Accesses="WriteData")
OR
("EventCode=4656" NOT $ NOT Accesses="DELETE")
| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z")
| eval Action=case(Accesses="READ_CONTROL","Created", Accesses="WriteData", "Created", Accesses="DELETE", "Deleted")
| Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type"
| table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action
If it works, then you should be able to drill down.
You can try using the append command:
`Folder A* "EventCode=4663" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action| append [search Folder A* "EventCode=4656" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL", "Created", Acceesses="WriteData", "Created") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action]
I left the case statement in because you have a third value, so I left that one in both.
Sorry I had to answer it in two different comments, because of the number of characters limitation.
"Created", Acceesses="WriteData", "Created") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action]
This is the one that gave me the results I wanted.
"EventCode=4663" NOT $ NOT Accesses="WriteData"| eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="DELETE", "Deleted") | Rename Time as "What Time" Account_Name as "Who did it" host as "On What Server" Object_Name as "Object Name" Object_Type as "Object Type" | table "What Time" "Who did it" "On What Server" "Object Name" "Object Type" Action| append [search "EventCode=4656" NOT $ NOT Accesses="DELETE" | eval Time=strftime(_time, "%m/%d/%y %H:%M:%S %Z") | eval Action=case(Accesses="READ_CONTROL",
Everyone calls me Luke. Drill down is a problem with appended searches.
Post your working search... I'll bet they can be combined into a non appended search.
Thank you for your help Luke. I hope i'm not offending you by calling you Luke. The results of the last modification is exactly what I want. However, it creates a different problem. Because of the append, I am not able to drill down on an event in the report.
I updated the search to make more sense based on what you just said. What you'll need to do is focus on the 4656 search only. Get that search to generate the results you want, and then append it as I've done in the example above.
Thank you lukejadamec. Unfortunately that did not work. My Action field is still reporting Delete for every result. Event 4663 only has the value Delete for Accesses field. Event 4656 has everything you see in my log. The Action field should be reporting either Created or Delete depending on wether the event has WriteData (or AddFile) value for the Accesses field.