Hi,
I am trying to generate a search command to track file deletions by user.The current command that I have is:
host="myhost" (EventCode=564) | join Handle_ID [search EventCode=560] | stats values(Object_Name) by user
In this command,myhost refers to the windows file server where users have access to sensitive files.I want to capture event 564 as it indicates a file deletion,but will also require to capture its corresponding event 560 as it contains the file name that are deleted.(From my understanding,a file deletion on Windows will generate a event 560,564 and is tied by their same handle ID)
The results should display 2 columns, ie.the user & the files that they've deleted.For eg.
user values(Object_Name) ------------------------------------------------------------------ 1 userA C:\02 Department\Main\~$2010_Department.doc 2 userE C:\Program Files\Dept\2010\Report2010.xls 3 userJ D:\Shared\Product\8AABCE.tmp D:\Shared\Product\~$TK Product Dec.xls
However,the result does not seem right when I did a check.
For eg. running the search command above generates userJ with 2 files deleted.But when I run another search to check:
host="myhost" EventCode="564" user="userJ"
which should produce the number of file deletions by userJ.However then,it shows 5 file deletion events instead of 2.
Any idea on the search command?
Splunk version: 4.1.5
It seems to work with this search command using transaction instead:
host="myhost" EventCode=564 OR EventCode=560 | transaction Handle_ID startswith=(EventCode=560) endswith=(EventCode=564) | stats values(Object_Name) AS Object by User
If anyone has a confirm solution to identifying object deletion events in windows please advise further.Thanks.
It seems to work with this search command using transaction instead:
host="myhost" EventCode=564 OR EventCode=560 | transaction Handle_ID startswith=(EventCode=560) endswith=(EventCode=564) | stats values(Object_Name) AS Object by User
If anyone has a confirm solution to identifying object deletion events in windows please advise further.Thanks.