Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment this can get out of hand quickly. You’ll want to tweak to best fit your environment. *Note* you […]
File Accesses in a Windows Environment by user
File Accesses in a Windows Environment by user sourcetype=”WinEventLog:Security” user=* (EventCode=560 OR EventCode=4656) | chart count by Type