![]() You can use Add-Member to add this to the objects you are emitting. The property for this is called SplunkSourceType. One final note – since this script is outputting two different types of data, I leverage a feature of the SA-ModularInput-PowerShell that allows me to set the source type within the object. ![]() Other than that, it’s exactly the same code. In the permissions example, we have to construct a primary key – I’ve used the share name and the Security ID (SID) of the user or group as the primary key. In the file share example, the share name is the primary key. I do pretty much the same thing for the permissions. I’ve also added a type – is it a new share, updated share or just a periodic emission? Finally, I’ve handled deletions as well by checking the cache against the current list of shares. I’ve done a few changes – I’ve added a checksum field so that I only have to store and check the checksum. Specifically, it encapsulates the logic from last week for emitting the shares only when they change. There is more going on within the script though, as it is meant to be run as part of the SA-ModularInput-PowerShell addon. Now I can do the following: Get-NetShare | Get-NetShareSecurity ![]() I use this to feed into the Gte-NetShareSecurity cmdlet, which produces more objects. It contains two cmdlets that are fairly central to this process – Get-NetShare encapsulates WMI call for obtaining the list of network shares. To aid me in this, I created a short script. If you need more information on this object, I suggest reading the excellent blog post by Andrew Buford. Once you have the security descriptor, the ACLs are in a property called DACL (which is actually an array – one for each entry in the ACL), and the user or group is embedded in another property inside the DACL called Trustee. $sd = $ss.InvokeMethod('GetSecurityDescriptor',$null,$null) You can get the security descriptor like this: $ss = gwmi Win32_LogicalShareSecuritySetting -Filter "Name='$shareName'" The most important one is the security descriptor. Fortunately, we only need to know a couple of things. The Win32_LogicalShareSecuritySetting is a complex beast. You need to do it on a per-share basis, like this: gwmi Win32_LogicalShareSecuritySetting -Filter "Name='$shareName'" As with the file shares, there is a WMI class for monitoring permissions, but it’s harder to use. Let’s first consider how one would do this generically. We have already handled the first two, so this blog post is all about the final one – monitoring permission changes. Monitoring Windows File Shares is a three part puzzle: I stopped my last blog post on Windows File Shares noting that there was still more to do.
0 Comments
Leave a Reply. |