Hello, I am trying to setup a report which will list all user activities in the F: drive. PFB my inputs.conf : [WinEventLog://Security] disabled = 0 index = fgfdstore start_from = newest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 15 whitelist1 = 4663,4656 renderXml = false I have also prepared the below search query : index=<indexname> Object_Name="F:*" NOT *.*tmp | eval folder = mvindex(split(lower(Object_Name),"\\"),3) | table _time, Account_Name, folder, Object_Name, Accesses | rename Object_Name as "File Path", Account_Name as UserName | dedup UserName, "File Path", Accesses | sort -_time With this setup I am able to track activities like delete, modify, READ_CONTROL and create. However, I am still not getting records when my colleague opened a file in F: drive as a test run. Also, I am not able to understand how I can tell if a file is being copied from F: drive without opening it. My question is, 1. How can i track if a file is read but not modified ? 2. How can i tell if a file is copied without ever opening it ? I am new to Splunk and my questions may appear naïve and simple. Any help, guidance and suggestion is highly appreciated.
... View more