SPL
Modification to File Permissions in Windows
Description
The following splunk query works on Windows Sever 2008 and newer operating systems. It returns results based on modifications to individual file level permissions.
Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/
1 2
source="WinEventLog:Security" sourcetype="WinEventLog:Security" EventCode=4670 (Security_ID!="NT AUTHORITY*") (Security_ID!="S-*")| eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Account_Name, Process_Name, Keywords, host | sort - Date
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.