Hello experts,I am looking at creating a rule that will alert when a mass deletion of files happens in any of the shared drives or NAS drives.I also want to see the account exiry date for the suer user who is doing this. This is to verify if any employee who is quitting the company is doing this. Do anyone has any experience of writing this kind of a rule or alarm.Please guide me.
Usually this is done by enabling File Auditing on the operating system, sending the events via syslog (or fetching them with WMI in case of Windows), then creating a correlation rule which should trigger for the same signature id with a custom filter (file delete), triggered for a high number of events in a configured time window by you. The correlation rule should group events by Source User.
Use the Data Enrichment feature. Connect to the AD (choose LDAP) and fetch the expiration date of the account and push it to your events.
But if an account is set to expired, why is it allowed to login into the NAS ?