Usually this is done by enabling File Auditing on the operating system, sending the events via syslog (or fetching them with WMI in case of Windows), then creating a correlation rule which should trigger for the same signature id with a custom filter (file delete), triggered for a high number of events in a configured time window by you. The correlation rule should group events by Source User.
Hi abanaru,thanks for the response.the key requirement is employees' end date from AD.How we can get this information?
1 of 1 people found this helpful
Use the Data Enrichment feature. Connect to the AD (choose LDAP) and fetch the expiration date of the account and push it to your events.
But if an account is set to expired, why is it allowed to login into the NAS ?