Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for and combine Windows event pairs (4663 and 4660) that are generated when a file is deleted?

DimkoBilanko
Explorer
‎11-11-2015 05:23 AM

I want to find exact events that point to a delete file event in Windows share.

There are two events generated at the same time when you delete a file, with the same "Description code" , but recorded in sequence in +/- 3 sec time range, first 4663, then 4660. However, their "RecordNumbers" differ by one. In 4660 a sequence number one greater than that of 4663.

For instance:

EVENT #2 4660

  11/11/2015 03:11:31 PM
  LogName=Security
  SourceName=Microsoft Windows security auditing. 
  EventCode=4660
  RecordNumber=6953203

  Message=Object deleted.

Субъект:     
    Security ID:        MYDOMAIN\UserTest   
    User name:      UserTest    
    Domain:      MYDOMAIN   

Объект:
    Object Server:  Security
Description code:   0x16c8

EVENT #1 4663

  11/11/2015 03:11:31 PM
    LogName=Security
    SourceName=Microsoft Windows security auditing.
    EventCode=4663
    RecordNumber=6953202

    Message=Access to the object.

Субъект:
    Security ID:        MYDOMAIN\UserTest
    User name:      UserTest
    Domain:     MYDOMAIN

Объект:
    Object Server:  Security
    Object type:        File
    Object Name:        D:\share01\support\MyVideos\Race_the_best.avi
    Description code:       0x16c8


Сведения о запросе на доступ:
    Операции доступа:        DELETE

How do I find and combine in one all these event pairs, that have occurred in 3 sec time range?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎11-12-2015 03:32 AM

Give something like this a try:

sourcetype=WinEventLog:Security EventCode=4660 OR EventCode=4663 | fields EventCode RecordNumber User_Name Object_Name Object_type Description_code | eval RecordNumber = if(EventCode==4660, RecordNumber - 1, RecordNumber) | stats values(Object_Name) as Name Values(Object_type) as Type values(User_Name) as user by RecordNumber Description_code host

The trick here is subtracting one from the second event's recordnumber so it matches exactly. Alternatively you could do a transaction:

sourcetype=WinEventLog:Security EventCode=4660 OR EventCode=4663 | fields EventCode RecordNumber User_Name Object_Name Object_type Description_code | transaction maxspan=3s host Description_code

View solution in original post

Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎11-12-2015 03:32 AM

Give something like this a try:

sourcetype=WinEventLog:Security EventCode=4660 OR EventCode=4663 | fields EventCode RecordNumber User_Name Object_Name Object_type Description_code | eval RecordNumber = if(EventCode==4660, RecordNumber - 1, RecordNumber) | stats values(Object_Name) as Name Values(Object_type) as Type values(User_Name) as user by RecordNumber Description_code host

The trick here is subtracting one from the second event's recordnumber so it matches exactly. Alternatively you could do a transaction:

sourcetype=WinEventLog:Security EventCode=4660 OR EventCode=4663 | fields EventCode RecordNumber User_Name Object_Name Object_type Description_code | transaction maxspan=3s host Description_code
Reply
Solved! Jump to solution

DimkoBilanko
Explorer
‎11-25-2015 12:14 PM

I've got it with additional parameter "endswith"

host=FileSerevr01 sourcetype="WinEventLog:Security" EventCode = 4663 OR 4660 | transaction Handle_ID Object_Name maxpause=1s endswith="An object was deleted" | table _time, Account Name, Object_Name, Accesses
0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-11-2015 03:45 PM

What output do you want to see? A list of deleted files? The actual events?

0 Karma
Reply
Solved! Jump to solution

DimkoBilanko
Explorer
‎11-12-2015 03:00 AM

Yes, I just want to know When-Who-What-Deleted? I want to find and coalesce two event 4663 and 4660 to one IF:
1 - they have identical Description code ("0x16c8" in my example);
2 - in event 4660 a RecordNumber one greater than that of 4663 (4663-6957600 and 4660-6957601);
3 - they occured in +/- 3 sec. time range;

Now I have the table like this:

1 | 11.11.2015 17:46 | TestUser | 0x16c8 | 4660 | 6957601 |
2 | 11.11.2015 17:46 | TestUser | 0x16c8 | 4663 | 6957600 | D:\share01\Race_01.avi | DELETE

And want to get this:

11.11.2015 17:46 | TestUser | 0x16c8 | 4663, 4660 | 6957600, 6957601 | D:\share01\Race_01.avi | DELETE

p.s. Am I the first who want to monitor Windows file shares by Splunk? Because, I didn't find any APPs for it or any info in Splunk wiki...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...