I'm trying to tweak a search to create an alert for it. I started with a pretty long search...
560 host="rhea" Object_Name="D:\Secure\HR\." NOT Object_Name="~$" NOT Object_Name="*.tmp" NOT "user=SYSTEM" Accesses="READ_CONTROL" OR Accesses="SYNCHRONIZE" OR Accesses="DELETE" | convert timeformat="%Y-%m-%d-%H:%M" ctime(_time) AS c_time | table c_time, Object_Name, User | dedup c_time Object_Name User | rename c_time AS Time Object_Name AS "File Accessed" | uniq
I put the . in the search to exclude folders, I only want to return access attempts to files.
When this kept returning folders, I started to tweak it down. I tried manually changing searches, and even clicking the keys in the web page to have it automatically add some criteria.
When I clicked 'User' and selected 'SYSTEM' all of my search results disappeared. I realized that this created conflicting criteria (User!="SYSTEM" and User="SYSTEM") so I manually deleted the second one. Still no results.
I removed criteria all the way down to Object_Name="D:\Secure\HR\." with a date range of last 30 days, and still no results (which there were plenty of results before, I was trying to narrow them down).
After considerable confusion, I clicked 'Actions' and 'Inspect Search Job' and the resulting page showed why there were no results.
This is what the search job inspector showed as the search...
search search EventCode="560" | search Object_Name="\Secure\HR\*." | search NOT User="SYSTEM" | dedup _time Object_Name User | convert timeformat="%Y-%m-%d-%H:%M:%S" ctime(_time) AS c_time | search User="SYSTEM" | table c_time, Object_Name, User | rename c_time AS Time Object_Name AS "File Accessed"
I couldn't see in my original page where all of the other criteria was hidden.
Is this a bug, or by design?
... View more