3 Replies Latest reply on May 22, 2017 2:22 AM by abanaru

    File deletion alert

    biswabhusan

      Hello experts,I am looking at creating a rule that will alert when a mass deletion of files happens in any of the shared drives or NAS drives.I also want to see the account exiry date for the suer user who is doing this. This is to verify if any employee who is quitting the company is doing this. Do anyone has any experience of writing this kind of a rule or alarm.Please guide me.

      Thanks

      Biswa

        • 1. Re: File deletion alert
          abanaru

          Usually this is done by enabling File Auditing on the operating system, sending the events via syslog (or fetching them with WMI in case of Windows), then creating a correlation rule which should trigger for the same signature id with a custom filter (file delete), triggered for a high number of events in a configured time window by you. The correlation rule should group events by Source User.

          • 2. Re: File deletion alert
            biswabhusan

            Hi abanaru,thanks for the response.the key requirement is employees' end date from AD.How we can get this information?

            • 3. Re: File deletion alert
              abanaru

              Use the Data Enrichment feature. Connect to the AD (choose LDAP) and fetch the expiration date of the account and push it to your events.

              But if an account is set to expired, why is it allowed to login into the NAS ?

              1 of 1 people found this helpful