Apparently there is a new security feature that is part of the 9.6.1 MR1 and 10.0.2 releases that does not allow the use of hidden shares when tailing / copying files, this was not disclosed in the Release Notes.
According to the original feedback I received, somebody setup a File Copy to the C$ share and checked the box to "Delete processed files" and wiped out a Server.
According to Tier3 / Engineering there is a Vulnerability in Linux that would allow an attacker full access to the remote hidden share, as Linux treats the $ differently than Microsoft does. We have requested a bug report and formal documentation.
File Tailing does not have an option to delete files, please restore the functionality to remote tail files using a hidden share, we don't want to advertise "HERE ARE THE LOGS" by creating shares.
I would hope you make the requirement for not using a hidden share only if you are doing a File Copy and you check the box to "Delete processed files"
File Tail / Copy from the SIEM Receiver was introduced in version 9.6.0, previously you had to use a SIEM Collector Agent, guess I will be going back to a local agent if this does not get resolved.
There is a new patch for this issue, but I believe it is release specific, check with support.
We did have to re-format how we connected to the remote shares, and change from backslashes to forward slashes.
Previously we did something similar to this:
Path: (this was empty)
User Name: domain\user
Now with the patch installed it has to be formatted as follows:
User Name: domain/user