cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

LEM/FIM alerting to a file extension change

Hello All,

I am new to LEM and I am trying to setup file auditing using FIM.  I have FIM getting data when a file is changed, for example, Word.docx changes to word.docx.ecc.  I want to setup a rule to send me an email when this happens.  I'm not sure if I created the rule correctly or if I'm missing something, but when this rule is triggered I get an email and the subject just has the word 'at' in it.  Any input would be greatly appreciated.

Here are the results from my ndepth query.

Event Name: FileRead 

EventInfo: File Open for Metadata Read "E:\DFS\Dept_Common\OIT\test.docx.ecc" by user "Username"  InsertionIP: SERVER  Manager: LEM SERVER DetectionIP: x.x.x.x  InsertionTime: 11:35:09 Fri Mar 13 2015  DetectionTime: 11:35:02 Fri Mar 13 2015  Severity: 3  ToolAlias: FIM File and Directory  InferenceRule:   ProviderSID: 2  ExtraneousInfo:   SourceAccount: dtyner  SourceDomain: WALSHCOLLEGE  SourceLogonID:   DestinationAccount:   DestinationDomain:   DestinationLogonId:   AccessRequested:   PrivilegesExercised:   FileName: E:\DFS\Dept_Common\OIT\test.docx.ecc  FileHandleID:   OperationID:   ServingProcess:   AccessProperties:   OperationType:

here is a copy of my rule

pastedImage_28.png

0 Kudos
1 Reply
Level 9

You have to drop the appropriate event fields in those empty "slots" under "Recipients". Look at the event data that has been generated and decide what information from those event data you want to see in the emails generated by this event. You can modify an email template to add specific fields to be included in the email from LEM. Then as I said earlier, drop those fields in those slots - for instance, FileRead,EventInfo into the $EventInfo spot, FileRead.DetectionTime into $DetectionTime and so on.