Hello!
I need to show audit access to a file in Windows, in the context of a certain group in the AD.
For example: there is a file called file_for_test.doc. To view the latest data on the audit, I use the following code:
host="hostname" sourcetype="WinEventLog" Object_Name="*file_for_test.doc" Accesses="ReadData*" | head 10000 | stats first(_time) as _time by Account_Name,Accesses,EventCode,Object_Name | table _time, Account_Name, Accesses, EventCode, Object_Name
Result:
_time Account_Name Accesses EventCode Object_Name
2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-25 10:59:32 User_2 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-25 08:41:39 User_3 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
But I need to display data only for users in the certain group AD. For example, only user 1, user 4.
It's to get a list of these users:
| ldapsearch domain=dom_name search="(&(objectClass=group)(CN=group_name))" | ldapgroup | table member_name
Result:
member_name
User_1
User_4
How do I combine 2 of these requests to get the following result:
_time Account_Name Accesses EventCode Object_Name
2018-09-25 13:24:07 User_1 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
2018-09-24 18:14:33 User_4 ReadData (or ListDirectory) 4663 \Device\file_for_test.doc
... View more