Hello there,
I'm trying to monitor file access on our file server (Windows 2012 R2) with Splunk Light but I can't quite figure out what to look at as there are just so many events which also seems not quite... intuitive?
I have a list of things I want to achieve ordered by priority
1. detect any file that has been deleted (gone from the server, not moved to a subdirectory or something)
2. detect any modification made to a file
3. detect any readings on files
While I think these are pretty basic things on a file server, it seems to me that it is very difficult, especially to distinguish the events that are created. Here's a list of things I don't care about (yet):
1. who accessed a share
2. who listed a directory
3. that it was checked that a user has permission for any handle or whatever
So far I've gone through the trouble of modifying the local policies and ACL to get the folowing event-codes:
- 5145 (98%)
- 4656 (0,6%)
- 4663 (0,4%)
- 4660 (0,3%)
- 5140 (0,1%)
- 4659 (0,004%)
- 4719 (0,001%)
Can anyone tell me how to achieve my goals with these events or hint me into directions?
... View more