Start a new topic
Answered

How to count changes for auditing Windows file change per user?

I would like to determine baseline max. changes for configuring EventSentry against ransomware with Windows Auditing and Event ID 4663.


Best Answer

You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.

Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.

Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).

Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here: http://demo.eventsentry.com/fileaccess?PROFILE=English.

The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.

1 Comment

Answer

You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.

Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.

Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).

Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here: http://demo.eventsentry.com/fileaccess?PROFILE=English.

The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.

Login or Signup to post a comment