Email Alert on Max File Access Read

+1 vote
asked May 10, 2018 in EventSentry by rgt522 (130 points)
How can I setup an email alert if a user access 10+ files in under 2 seconds?

1 Answer

0 votes
answered May 11, 2018 by Ingmar (7,190 points)

We have a blog article that describes how to go about setting this up in detail, as part of our blog series on protecting against Ransomware: It's a bit verbose but explains exactly what you are looking for. We also have a KB article that explains the same exact thing and is a little less verbose.

In a nutshell you will need to do the following:

  • Ensure object access auditing is enabled via GPO or in the local security policy
  • Enable auditing for write access on the folder in question
  • Setup a threshold filter for 4663 with the insertion string representing the username

Let us know if you have any questions.

commented May 14, 2018 by rgt522 (130 points)
Still don't find this very helpful. Are there any videos that show this configuration? Trying to get alerted to users trying to copy files to external devices.
commented May 15, 2018 by Ingmar (7,190 points)
I'm sorry you don't find this helpful, was there something in particular you didn't find helpful? It's helped other users before and the instructions are pretty detailed. However, monitoring external drives is an entirely different situation since removable devices don't usually have NTFS, and as such can't monitored in the same way.

Which operating system(s) are the computers you want to monitor external drives on running?
Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.