1 Reply Latest reply on Mar 17, 2015 10:23 AM by rufat87

    LEM/FIM alerting to a file extension change

    dtyner

      Hello All,

       

      I am new to LEM and I am trying to setup file auditing using FIM.  I have FIM getting data when a file is changed, for example, Word.docx changes to word.docx.ecc.  I want to setup a rule to send me an email when this happens.  I'm not sure if I created the rule correctly or if I'm missing something, but when this rule is triggered I get an email and the subject just has the word 'at' in it.  Any input would be greatly appreciated.

       

      Here are the results from my ndepth query.

       

      Event Name: FileRead 

      EventInfo: File Open for Metadata Read "E:\DFS\Dept_Common\OIT\test.docx.ecc" by user "Username"  InsertionIP: SERVER  Manager: LEM SERVER DetectionIP: x.x.x.x  InsertionTime: 11:35:09 Fri Mar 13 2015  DetectionTime: 11:35:02 Fri Mar 13 2015  Severity: 3  ToolAlias: FIM File and Directory  InferenceRule:   ProviderSID: 2  ExtraneousInfo:   SourceAccount: dtyner  SourceDomain: WALSHCOLLEGE  SourceLogonID:   DestinationAccount:   DestinationDomain:   DestinationLogonId:   AccessRequested:   PrivilegesExercised:   FileName: E:\DFS\Dept_Common\OIT\test.docx.ecc  FileHandleID:   OperationID:   ServingProcess:   AccessProperties:   OperationType:

       

       

      here is a copy of my rule

       

        • Re: LEM/FIM alerting to a file extension change
          rufat87

          You have to drop the appropriate event fields in those empty "slots" under "Recipients". Look at the event data that has been generated and decide what information from those event data you want to see in the emails generated by this event. You can modify an email template to add specific fields to be included in the email from LEM. Then as I said earlier, drop those fields in those slots - for instance, FileRead,EventInfo into the $EventInfo spot, FileRead.DetectionTime into $DetectionTime and so on.