LEM and File Auditing

Version 2

    Context 

    It may have just been coincidence or these might be some items that are becoming frequently asked questions. Either way, I searched, and searched and could not find what I was looking for, so I did some quick testing to see how LEM collected these items and semi-more importantly how they were displayed, so I thought I would share my findings.


    These would be important to know, if you were going to create Filters or Rules based on these user actions.  To know how LEM collects them and how they are registered. Basically your Criteria has to match the Logic format….


    (And I had 3 different users this week that had done it how they thought these were gathered. And their setup made logical sense, but the criteria for LEM was different so we never saw the events in Filters, and no Rules were firing)  They had the incorrect event type tied to the incorrect info format.

     

    -I created files two ways. One was right-clicking in the directory and the other was Saving a filename into the directory from the native program (like Word, Notepad).

    -I also renamed files.

    -I did these tests with Native Windows Auditing and with our FIM connector.

     

    ***This was my own testing and my own results.  I did not test multiple times, multiple machines, etc etc.  This is not meant to be absolute by any means, but may help you in creating similar Filters and Rules.***

     

     

     

    With our FIM Connector

     

    Right-click, New File

     

    This produced a FileCreate New Text (or bitmap, etc) Document.txt”.  This was found in the EventInfo and the FileName fields.

     

    Then there was a FileWrite event and it also contained the “new_____” in the same fields.

     

    Eventually there was a FileRead Event with the real file name in the EventInfo field.

     

    (there were file events in between but not near as much as native Windows auditing)

     

    File Saved to the Directly to the Directory

     

    The first entry was a FileCreate with the real file name in the EventInfo and the FileName fields.

     

    Followed by several FileReads and FileWrites, all with the file name.


     

    Renamed a File


    Multiple FileRead events with File Open in the EventInfo field with the Original file name.

     

    Then there was a FileWrite event that contained the Original file name.

     

    Then there was a FileRead and in the EventInfo field there was a File Permission entry with the New Name(this was the first entry with the new name)

     

    Immediately there was a FileRead and in the EventInfo field there was a File Open with the New Name.



     

    With Native Windows File Auditing Enabled

     

    Right-click, New File

     

    This produced a FileWrite Event, and the file name equaled “New Text (or bitmap, etc) Document.txt”.  This was found in the EventInfo and the FileName fields. 

     

    Then there was a dozen or so FileAudit events with Read in the EventInfo field for various files and the directory itself.

     

    Eventually there was a FileDelete Event with the name of New Text Document.txt in the EventInfo field. 

     

    Again, another number of FileAudit events.

     

    Finally there was a FileAudit event, and in the EventInfo section was File Open with the file name I had created the file as.  (first time the real file name appeared, instead of ‘new’….)


     

    File Saved to the Directly to the Directory

     

    The first entry was a FileWrite with the real file name in the EventInfo and the FileName fields.

     

    Followed by several FileAudits with the file name.


     

    Rename the file

     

    There was a FileDelete event and it contained the Original file name in the EventInfo field.

     

    Dozens of FileAudits.

     

    Then there was a FileWrite to the Directory

     

    (More FileAudits)

     

    Finally there was a FileAudit – and in the EventInfo there was a File Open that contained the newly renamed file name(first time the new name appeared)

     

     

     

     

     

     

     

     

    FYI      I talked to a member of our dev team for LEM, and while FIM is doing a lot of the same work that native Windows File Auditing in this first release, he said we have the ability to make it better and smarter since we control it.  He definitely recommends FIM over native Windows Auditing, and it really isn’t because he is self-promoting.