Successful File Access Attempts and Filename Accessed

Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment this can get out of hand quickly. You’ll want to tweak to best fit your environment.

*Note* you must have Object Access Auditing enabled. More on that can be found here: https://www.splunk.com/blog/2013/07/08/audit-file-access-and-change-in-windows.html

Another query that may assist utilizing the Windows Event Code 5140 is shown below. Be sure to filter on Share_Path as even in small environments you may have a large number of these; for instance if you were concerned about the shared drive X:\ you’d specify Share_Path=”*X:\*”.
Share This:

Leave A Comment?