Skip to main content


Splunk Lantern

Files a user uploaded to a network file share

You might need to find all files a user uploaded to a network file share when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


A user reports a ransomware attack on their machine. The user put a number of files on a network file share after the attack. You need to determine how many PDFs on the file share were encrypted as part of the attack.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Windows event logs. You can replace this source with any other system log data used in your organization.

  1. Run the following search:
sourcetype=*win* pdf dest=<hostname of fileshare> Source_address=<IP address of infected system>
|stats dc(TargetFilename)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only Windows event logs.


Search for all files of a certain type (.pdf in this example) on the file share.

dest=<hostname of fileshare> 

Search the affected system, in this case, a file share on the network.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

(dest="" OR dest_ip="")

(dest="" OR dest="")

Source_address=<IP address of infected system>

Search for files that came from the infected system.

|stats dc(TargetFilename)

Provide a distinct count of the number of affected files.


Without the stats command, the search returns an event log for each PDF on the file share that was encrypted by the ransomware. The stats command provides a total count. 

  • Was this article helpful?