This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Search pattern for file audits on specific server not carried out by one of four accounts

Hi,

As per the subject, I'm trying to create a ndepth search (which I will later turn into an alert).  Which searches a specific server server for file audits which do not involve one of four accounts.

I've tried under 'ALL'

fileaudit.insertionip = server

fileaudit.sourceaccount does not equal user1

fileaudit.sourceaccount does not equal user2

fileaudit.sourceaccount does not equal user3

fileaudit.sourceaccount does not equal user4

which hasn't worked.

I've then tried under 'ALL'

fileaudit.insertionip = server

Subgroup under 'OR'

fileaudit.sourceaccount does not equal user1

fileaudit.sourceaccount does not equal user2

fileaudit.sourceaccount does not equal user3

fileaudit.sourceaccount does not equal user4

This didn't work either - this doesn't seem much to ask of LEM.  Any pointers please?

  • FormerMember
    0 FormerMember

    As a workaround, you might try building a filter, which is real-time, since I've seen a couple of threads now that don't quite match what you'd expect with nDepth.

    I'm going to try a couple of things and report back... I'm with you that this seems fishy.

  • Thanks - if you can look that will be great.

    Am running an alert now.

  • FormerMember
    0 FormerMember in reply to bkeeley

    One thing that just came to mind - if your file audit alerts are the subtypes (FileWrite, FileRead, FileAuditFailure, etc) and not just the parent FileAudit event itself, you'll want to use the "File Audit Events" event group instead of using the specific File Audit event itself. That way all of the subtypes are also included.

    File Audit Events.InsertionIP = system1

    AND

    File Audit Events.SourceAccount != account1

    AND

    File Audit Events.SourceAccount != account2

    etc

    NOTE: I just did this myself and it seems to be the not equals that is causing some difficulty. It DOES work in filters and DOES work in rules, but is not working in nDepth searches. Still doing some digging as to what's happening.

  • FormerMember
    0 FormerMember in reply to FormerMember

    I know, replying to myself. So far my testing has yielded:

    1. This works as described in filters and rules
    2. Equals works great in nDepth but not equals with a field seems to be dysfunctional (differently functional?)
    3. Using the "User Name" refine field (only exists in nDepth) with != does seem to work. (User Name searches across all account fields, using a field directly just searches that one field... so it's not precisely equal but it's worth a shot)

    So, try reconstructing your search with:

    File Audit Events.InsertionIP = server1

    AND

    User Name != user1

    AND

    User Name != user2

    AND

    User Name != user3

    You might have to run the first search (File Audit Events.InsertionIP=server1) then drag the user name field into the search bar from the refine fields on the left to get it to add.