Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract data from Microsoft Event Code 4656...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm reviewing Microsoft Event Code 4656 (Failed Object Access) but when I try to audit Accesses or Access Reasons, Splunk will only return the first event in that field (In this situation it's DELETE). I'm trying to find a way to table all results to see everything in that field (i.e. Read Control, Write DAC, Synchronize, ReadData, WriteData too) Not just DELETE.
I've tried mvindex, stats list(Accesses), stats values(Accesses)...but the results always return the first result. I was thinking maybe I have to write a regular expression to list everything between Accesses: to Access Reasons:, AND Access Reasons: to Access Masks:
Any information you can provide me would be appreciated because right now I'm stuck.
Index=winevents sourcetype=wineventlog:security EventCode=4656
| "this is where I'm stuck"
| table user, host, Object_Name, Access_Reasons
Accesses: DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: DELETE: Unknown or unchecked
READ_CONTROL: Unknown or unchecked
WRITE_DAC: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Unknown or unchecked
ReadEA: Unknown or unchecked
WriteEA: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Unknown or unchecked
Access Mask:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the data that you provided, this is an example of the rex command(s) that will extract the information that you want (I believe):
| makeresults
|eval raw="Accesses: DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: DELETE: Unknown or unchecked
READ_CONTROL: Unknown or unchecked
WRITE_DAC: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Unknown or unchecked
ReadEA: Unknown or unchecked
WriteEA: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Unknown or unchecked
Access Mask:"
| rex field=raw "Accesses:\s(?P<accesses>[\s\S]*?)\s+Access Reasons:(?P<reasons>[\s\S]*?)\s+Access Mask:"
| rex field=accesses max_match=0 "(?P<accesseslist>.+)"
| rex field=reasons max_match=0 "(?P<reasonslist>.+)"
The only lines that you probably need to worry about at the last three rex commands. They extract the data into the fields, which are further separated into a multi-valued set of fields by the last two rex commands.
Hopefully this is what you want, but please comment if there is something else that you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the data that you provided, this is an example of the rex command(s) that will extract the information that you want (I believe):
| makeresults
|eval raw="Accesses: DELETE
READ_CONTROL
WRITE_DAC
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: DELETE: Unknown or unchecked
READ_CONTROL: Unknown or unchecked
WRITE_DAC: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Unknown or unchecked
ReadEA: Unknown or unchecked
WriteEA: Unknown or unchecked
ReadAttributes: Unknown or unchecked
WriteAttributes: Unknown or unchecked
Access Mask:"
| rex field=raw "Accesses:\s(?P<accesses>[\s\S]*?)\s+Access Reasons:(?P<reasons>[\s\S]*?)\s+Access Mask:"
| rex field=accesses max_match=0 "(?P<accesseslist>.+)"
| rex field=reasons max_match=0 "(?P<reasonslist>.+)"
The only lines that you probably need to worry about at the last three rex commands. They extract the data into the fields, which are further separated into a multi-valued set of fields by the last two rex commands.
Hopefully this is what you want, but please comment if there is something else that you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your assistance. It worked!!!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
