Hello there,
I'm trying to monitor file access on our file server (Windows 2012 R2) with Splunk Light but I can't quite figure out what to look at as there are just so many events which also seems not quite... intuitive?
I have a list of things I want to achieve ordered by priority
1. detect any file that has been deleted (gone from the server, not moved to a subdirectory or something)
2. detect any modification made to a file
3. detect any readings on files
While I think these are pretty basic things on a file server, it seems to me that it is very difficult, especially to distinguish the events that are created. Here's a list of things I don't care about (yet):
1. who accessed a share
2. who listed a directory
3. that it was checked that a user has permission for any handle or whatever
So far I've gone through the trouble of modifying the local policies and ACL to get the folowing event-codes:
- 5145 (98%)
- 4656 (0,6%)
- 4663 (0,4%)
- 4660 (0,3%)
- 5140 (0,1%)
- 4659 (0,004%)
- 4719 (0,001%)
Can anyone tell me how to achieve my goals with these events or hint me into directions?
See if this helps
1. detect any file that has been deleted (gone from the server, not moved to a sub-directory or something)
Event Code=4663 AND Accesses= DELETE AND Object Type=File
2. detect any modification made to a file
Event Code=4663 AND Accesses= WriteData AND Object Type=File
3. detect any readings on files
http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/
Ha! My indexer had the Security stanza disabled. Enabled the Security Stanza for Windows_TA on the Indexer (have it on forwarder and search head as well) and Access=Delete shows up now for Event ID: 4656
arg, the appropriate search to find deleted files is:
EventCode=4656 Accesses=DELETE
Accesses field was what I was having trouble with.
See if this helps
1. detect any file that has been deleted (gone from the server, not moved to a sub-directory or something)
Event Code=4663 AND Accesses= DELETE AND Object Type=File
2. detect any modification made to a file
Event Code=4663 AND Accesses= WriteData AND Object Type=File
3. detect any readings on files
http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/