Hello, any help appreciated, newbie in splunk, getting up to speed.
I configured auditing on a windows file server, have the logs coming from it, and can see the data I want in Splunk. I need to do a conversion of some data within the event and also do a compare of 2 parts of the event (or if I need to rethink how I approach this completly), for example:
Search: index=wineventlog host=it-svr EventCode=4670
I get events, a bunch of other lines/data, then
“
Permissions Change:
Original Security Descriptor: D:PAI(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;S-1-5-21-80226063-1916478206-832717053-13196)(A;OICI;FA;;;S-1-5-21-80226063-1916478206-832717053-36478)(A;;0x1200a9;;;S-1-5-21-80226063-1916478206-832717053-52706)(A;OICI;0x1301bf;;;S-1-5-21-80226063-1916478206-832717053-55033)(A;OICI;FA;;;S-1-5-21-80226063-1916478206-832717053-55098)
New Security Descriptor: D:PARAI(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;S-1-5-21-80226063-1916478206-832717053-13196)(A;OICI;FA;;;S-1-5-21-80226063-1916478206-832717053-36478)(A;;0x1200a9;;;S-1-5-21-80226063-1916478206-832717053-52706)(A;OICI;0x1301bf;;;S-1-5-21-80226063-1916478206-832717053-55033)
“
I can do the following to find the sid
Search: | ldapsearch search="(&(objectClass=User)(objectSid=S-1-5-21-80226063-1916478206-832717053-55098))"
Which gives me a bunch of output that I could filter down to just line: "displayName: John Doe"
I want to do a compare and just show or output the difference between the Original and New Security Descriptor.
End goal is to report on file permission changes for folders on sensitive file shares. I assume many others have tackled this problem before.
Thank you!
↧