Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for users accessing files/paths they shouldn't

sC0rP1u5
Explorer
‎03-13-2012 11:17 AM

Hello,

In our environment, our users all have a personal folder assigned to them. IT personnel and other users have access to these folders. I'm wanting to build a search that will display users that access files/folders on these personal areas that are not the user the folder was created for. The folder will basically be \\servername\sharename\username. I want to be able to see when the user's username doesn't match up with the username(folder name) on the server. For instance, I want to see when user jdoe is accessing the personal area for jschmoe located at \\servername\sharename\jschmoe. I have below an example of the logs I'm working with. The parts of the log that I'm especially interested in are in bold. The first bold portion is the "\\servername\sharename\jschmoe" portion that shows the location of the user's personal folder. The second bold portion is the username that is accessing the personal folder. Any help or suggestions with this would be tremendously helpful.

Security,1812722872,2012-03-13 12:16:40,2012-03-13 12:16:40,560,16,Failure Audit event,3,Object Access,Security,"Security|File|\file_system_name\Home\username\*|-|Open|-|-|-|-|-|username|domain|0x0066dc7808 - X.X.X.X|WRITE_DAC WRITE_OWNER|-",Server_Name,S-1-5-21-684679960-1866280647-358221868-2815,"Object Open: Object Server: Security Object Type: File Object Name: \file_system_name\Home\username\* New Handle ID: - Operation ID: {Open,-} Process ID: - Primary User Name: - Primary Domain: - Primary Logon ID: - Client User Name: username Client Domain: DOMAINNAME Client Logon ID: 0x0066dc7808 - X.X.X.X Accesses WRITE_DAC WRITE_OWNER Privileges - ",

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎03-16-2012 01:53 PM

Add this to your search string:

rex field=filename "\\Home\\(?P<homefoldername>).+\\$"

Note that you can extract a new field (homefoldername) from within an existing field (filename). This makes it easier.
So the overall search string (from your comment) could be:

index=indexname failure| rex field=_raw ",(?P<disposition>(Success|Failure))[^|]+|[^|]+|(?P<filename>[^|]+)|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|(?P<username>[^|]+).Logon ID: [a-zA-z0-9]+ - (?P<src_ip>[^|]+)"  
| rex field=_raw "[|].file_system_name0[0-9].(Users|Home).(?P<base_directory>[a-z]+)" 
| rex field=filename "\\Home\\(?P<homefoldername>).+\\$"
| search EventTypeName="Failure Audit event" 
| search filename != "esktop.ini" 
| search resource_filename != "*win.ini"

and at this point you could also add where homefoldername!=username to your search. Note that you must use the where command, not the search command. Search can search for field=value, but not field=field.

0 Karma
Reply

lguinn2
Legend
‎03-13-2012 11:54 AM

Try this

your-search-here | 
rex "File\|\\.+?\\.+?\\(?<foldername>.+?)\\.*?Open\|-\|-\|-\|-\|-\|(?<username>.+?)\|" |
table foldername username

If that works and looks right, then do this

your-search-here | 
rex "File\|\\.+?\\.+?\\(?<foldername>.+?)\\.*?Open\|-\|-\|-\|-\|-\|(?<username>.+?)\|" |
where foldername!=username

The trick is writing the rex command to properly extract the names. rex uses regular expressions, and while I have tried to be careful, I could have gotten this wrong...

0 Karma
Reply

sC0rP1u5
Explorer
‎03-15-2012 07:58 AM

index=indexname failure| rex field=_raw ",(?P(Success|Failure))[^|]+|[^|]+|(?P[^|]+)|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|[^|]+|(?P[^|]+).*Logon ID: [a-zA-z0-9]+ - (?P[^|]+)" | rex field=_raw "[|].file_system_name0[0-9].(Users|Home).(?P[a-z]+)" | search EventTypeName="Failure Audit event" | search filename != "*esktop.ini" |search resource_filename != "*win.ini"

0 Karma
Reply

sC0rP1u5
Explorer
‎03-15-2012 07:58 AM

Thank you for your prompt reply. You mentioned that the trick is writing the rex command to properly extract the names. That is my biggest problem at this point. We currently have a search that is extracting the entire path and I'll add it in my comment below.

With this search, we are able to extract the entire path but I still haven't successfully extracted the one field I'm interested in. Could there be anything else we could add in the rex to extract the folder name only? Thanks again for all your help.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...