Hello,
In our environment, our users all have a personal folder assigned to them. IT personnel and other users have access to these folders. I'm wanting to build a search that will display users that access files/folders on these personal areas that are not the user the folder was created for. The folder will basically be \\servername\sharename\username. I want to be able to see when the user's username doesn't match up with the username(folder name) on the server. For instance, I want to see when user jdoe is accessing the personal area for jschmoe located at \\servername\sharename\jschmoe. I have below an example of the logs I'm working with. The parts of the log that I'm especially interested in are in bold. The first bold portion is the "\\servername\sharename\jschmoe" portion that shows the location of the user's personal folder. The second bold portion is the username that is accessing the personal folder. Any help or suggestions with this would be tremendously helpful.
Security,1812722872,2012-03-13 12:16:40,2012-03-13 12:16:40,560,16,Failure Audit event,3,Object Access,Security,"Security|File|\file_system_name\Home\username\*|-|Open|-|-|-|-|-|username|domain|0x0066dc7808 - X.X.X.X|WRITE_DAC WRITE_OWNER|-",Server_Name,S-1-5-21-684679960-1866280647-358221868-2815,"Object Open: Object Server: Security Object Type: File Object Name: \file_system_name\Home\username\* New Handle ID: - Operation ID: {Open,-} Process ID: - Primary User Name: - Primary Domain: - Primary Logon ID: - Client User Name: username Client Domain: DOMAINNAME Client Logon ID: 0x0066dc7808 - X.X.X.X Accesses WRITE_DAC WRITE_OWNER Privileges - ",
Add this to your search string:
rex field=filename "\\Home\\(?P<homefoldername>).+\\$"
Note that you can extract a new field (homefoldername) from within an existing field (filename). This makes it easier.
So the overall search string (from your comment) could be:
index=indexname failure| rex field=_raw ",(?P<disposition>(Success|Failure))[^|]+|[^|]+|(?P<filename>[^|]+)|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|(?P<username>[^|]+).Logon ID: [a-zA-z0-9]+ - (?P<src_ip>[^|]+)"
| rex field=_raw "[|].file_system_name0[0-9].(Users|Home).(?P<base_directory>[a-z]+)"
| rex field=filename "\\Home\\(?P<homefoldername>).+\\$"
| search EventTypeName="Failure Audit event"
| search filename != "esktop.ini"
| search resource_filename != "*win.ini"
and at this point you could also add where homefoldername!=username
to your search. Note that you must use the where command, not the search command. Search can search for field=value, but not field=field.
Try this
your-search-here |
rex "File\|\\.+?\\.+?\\(?<foldername>.+?)\\.*?Open\|-\|-\|-\|-\|-\|(?<username>.+?)\|" |
table foldername username
If that works and looks right, then do this
your-search-here |
rex "File\|\\.+?\\.+?\\(?<foldername>.+?)\\.*?Open\|-\|-\|-\|-\|-\|(?<username>.+?)\|" |
where foldername!=username
The trick is writing the rex command to properly extract the names. rex uses regular expressions, and while I have tried to be careful, I could have gotten this wrong...
index=indexname failure| rex field=_raw ",(?P
Thank you for your prompt reply. You mentioned that the trick is writing the rex command to properly extract the names. That is my biggest problem at this point. We currently have a search that is extracting the entire path and I'll add it in my comment below.
With this search, we are able to extract the entire path but I still haven't successfully extracted the one field I'm interested in. Could there be anything else we could add in the rex to extract the folder name only? Thanks again for all your help.