13 Replies Latest reply on Jun 15, 2015 1:23 PM by qle

    Prevent mass file operations?

    qle

      Is it within LEM's capability to prevent/block mass file operations on a server, either accidentally or intentional? It could be as destructive as a user who will be leaving the organization and wiping out files or as innocent as someone accidentally moving a folder into another folder. I'm aware that the LEM agent can block IP addresses or disable accounts but I'm inclined to think that it would be too late for those actions since the file operation is already under way.

        • Re: Prevent mass file operations?
          curtisi

          You could have LEM disable the offending account, and that should kill the file operation in progress.

          • Re: Prevent mass file operations?
            cscoengineer

            I have seen clients use LEM primarily a reporting SEIM with limited active response.  In one instance of an active response, the user was locked out of the network - and the user happened to be the CEO.  He was not amused.  You need to be really careful when constructing an active response.

             

            As suggested by curtisi, you can try to disable the offending account , but the the mass copying of a folder happens too quickly.

            However, you can try to limit the copy operation to once per second.  Any more than that could result in an account lockout.  In theory it could work, but I have not seen this implemented.

            Ultimately if the person is leaving the company his account should be locked BEFORE the person is given notice of termination.

             

            If files are moved or deleted by accident, there should be other mechanisms in place to should handle that situation.

             

            Amit Shah

            Loop1 Systems