Track Document Access by User SID

Monitor document access patterns for specific users using the groupBy() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
#event_simpleName=/ProcessRollup2|SyntheticProcessRollup2|ProcessBlocked/ tag=process cid=CID_HERE UserSid=USER_SID_HERE
| (.pdf) OR (.xls) OR (.xlsx) OR (.doc) OR (.docx) OR (.ppt) OR (.pptx) OR (.txt) OR (.key) OR (.pages) OR (.numbers) OR (.odp) OR (.pps) OR (.ods) OR (.xlsm) OR (.odt) OR (.rtf) OR (.tex) OR (.wpd)
| groupBy([aid, ComputerName, ImageFileName, TargetFileName, CommandLine])

Introduction

The groupBy() function can be used to aggregate and analyze document access patterns by specific users, providing visibility into which documents are being accessed and from which systems.

In this example, the groupBy() function is used to track document access events for a specific user SID, helping security analysts monitor and investigate document access patterns across the environment.

Example incoming data might look like this:

@timestampevent_simpleNametagcidUserSidaidComputerNameImageFileNameTargetFileNameCommandLine
2025-11-05T10:00:00.000ZProcessRollup2processCID123S-1-5-21-123aid123LAPTOP01C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Users\john\Documents\2024_Q1_pentest_host_list.xlsxEXCEL.EXE
2025-11-05T10:01:00.000ZProcessRollup2processCID123S-1-5-21-123aid123LAPTOP01C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXEC:\Users\john\Documents\2024_Q1_pentest_results_draft.pptxPOWERPNT.EXE
2025-11-05T10:02:00.000ZSyntheticProcessRollup2processCID123S-1-5-21-123aid124DESKTOP02C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeC:\Users\john\Downloads\security_report.pdfAcrobat.exe

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #event_simpleName=/ProcessRollup2|SyntheticProcessRollup2|ProcessBlocked/ tag=process cid=CID_HERE UserSid=USER_SID_HERE

    Filters events to include only process-related events with specific event names, matching the process tag, specific CID, and User SID. The filter uses regular expressions to match multiple process event types.

    It matches events where event_simpleName equals any of:

    • ProcessRollup2 (captures process creation)

    • SyntheticProcessRollup2 (captures synthetic process events)

    • ProcessBlocked (captures blocked process creation attempts)

    The tag=process ensures that only process-related events are included.

    Note that this query requires replacing CID_HERE and USER_SID_HERE with actual values for the specific environment and investigation target.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | (.pdf) OR (.xls) OR (.xlsx) OR (.doc) OR (.docx) OR (.ppt) OR (.pptx) OR (.txt) OR (.key) OR (.pages) OR (.numbers) OR (.odp) OR (.pps) OR (.ods) OR (.xlsm) OR (.odt) OR (.rtf) OR (.tex) OR (.wpd)

    Filters for common document file extensions to identify document access events.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupBy([aid, ComputerName, ImageFileName, TargetFileName, CommandLine])

    Groups the results by multiple fields to provide context for each document access event:

    • aid: Agent ID for identifying specific endpoints.

    • ComputerName: Name of the computer where the access occurred.

    • ImageFileName: Full path of the process accessing the document.

    • TargetFileName: Full path of the accessed document.

    • CommandLine: Command line parameters used to open the document.

  5. Event Result set.

Summary and Results

The query is used to track and analyze document access patterns for specific users by monitoring process creation events related to document handling applications.

This query is useful, for example, to investigate potential data exfiltration, monitor sensitive document access, track user behavior patterns, and provide context during security investigations.

Sample output from the incoming example data:

aidComputerNameImageFileNameTargetFileNameCommandLine
aid123LAPTOP01C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Users\john\Documents\2024_Q1_pentest_host_list.xlsxEXCEL.EXE
aid123LAPTOP01C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXEC:\Users\john\Documents\2024_Q1_pentest_results_draft.pptxPOWERPNT.EXE
aid124DESKTOP02C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeC:\Users\john\Downloads\security_report.pdfAcrobat.exe

Note that this query requires replacing CID_HERE and USER_SID_HERE with actual values for the specific environment and investigation target.