Modification to File Permissions in Windows

The following splunk query works on Windows Sever 2008 and newer operating systems. It returns results based on modifications to individual file level permissions. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ source=”WinEventLog:Security” sourcetype=”WinEventLog:Security” EventCode=4670 (Security_ID!=”NT AUTHORITY*”) (Security_ID!=”S-*”)| eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, Account_Name, Process_Name, Keywords, host | sort […]

Continue Reading →