Ever need to find when a user accessed a file within a Windows environment? The following Splunk query will show successful file accesses by each user for a given day. Depending on the size of your environment this can get out of hand quickly. You’ll want to tweak to best fit your environment.
*Note* you must have Object Access Auditing enabled. More on that can be found here: https://www.splunk.com/blog/2013/07/08/audit-file-access-and-change-in-windows.html
sourcetype=WinEventLog (Relative_Target_Name!="\\""" Relative_Target_Name!="*.ini") user!="*$" | bucket span=1d _time | stats count by Relative_Target_Name, user, _time, status | rename _time as Day | convert ctime(Day)
Another query that may assist utilizing the Windows Event Code 5140 is shown below. Be sure to filter on Share_Path as even in small environments you may have a large number of these; for instance if you were concerned about the shared drive X:\ you’d specify Share_Path=”*X:\*”.
sourcetype=WinEventLog EventCode=5140 user!="*$" Share_Path="*" | stats count by Share_Path, user, host, _time | sort - user