How to count changes for auditing Windows file change per user?
I
Ingmar Koecher
started a topic
about 5 years ago
I would like to determine baseline max. changes for configuring EventSentry against ransomware with Windows Auditing and Event ID 4663.
Best Answer
I
Ingmar Koecher
said
about 5 years ago
You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.
Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.
Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).
Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here: http://demo.eventsentry.com/fileaccess?PROFILE=English.
The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.
1 Comment
Ingmar Koecher
said
about 5 years ago
Answer
You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.
Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.
Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).
Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here: http://demo.eventsentry.com/fileaccess?PROFILE=English.
The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.
Ingmar Koecher
I would like to determine baseline max. changes for configuring EventSentry against ransomware with Windows Auditing and Event ID 4663.
You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.
Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.
Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).
Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here: http://demo.eventsentry.com/fileaccess?PROFILE=English.
The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.
Ingmar Koecher
You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.
Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.
Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).
Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here: http://demo.eventsentry.com/fileaccess?PROFILE=English.
The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.
-
EventSentry SQL Backup
-
Freeing up disk space
-
"The RPC server is unavailable" when trying to add any computer.
-
How to remove a list of Servers/Agents using a CSV
-
Pros and Cons of Database in a container for EventSentry
-
PostgreSQL error
-
After installing trial with a collector, then removing the collector, Agents appear Disconnect or Frozen
-
Can EventSentry Light be used to monitor a phone server on my network?
-
Support for Windows Server 2019
-
Syslog Search Syntax
See all 37 topics