File Integrity Monitoring: How to search Read reco...

fmpa_isaac · ‎01-05-2016

I am trying to report on a File Monitoring report that picks up all operations such as Read, Created, Wrote etc. However, I only want to see Read records where the individual accessed a document. I do not care about Read’s accessing a folder. Keeping in mind that I also want to see all other operation types. I’m thinking of a search command where the Read operation is within parenthesis looking specifically in the directory field for a File extension.

Here is my search criteria:

host = 10.0.0.3 "D:\\Data\\public\\human" | transaction user, _time | table  user, operation, directory, _time,

abrarfakhri · ‎02-04-2016

Guessing that operation value can be either Read, Created etc.
You can easily get "Read" by changing the query as follows:

host = 10.0.0.3 "D:\\Data\\public\\human" operation="Read" | transaction user, _time | table  user, operation, directory, _time

Also, without knowing exactly what result set you're trying to get, my suggestion is not to use transaction but it is an expensive command.

You can use stats.

host = 10.0.0.3 "D:\\Data\\public\\human" operation="Read" | stats  operation, directory, _time by user

File Integrity Monitoring: How to search Read records where an individual accessed a document, not a folder?

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...