How to count changes for auditing Windows file change per user?

0 votes
asked Jul 7, 2017 in EventSentry by MrQ (170 points)
I would like to determine baseline max. changes for configuring EventSentry against ransomware with Windows Auditing and Event ID 4663.

1 Answer

0 votes
answered Jul 7, 2017 by netikus (3,240 points)

You can do this by (temporarily) creating a file access tracking package which will normalize all 4663 events recorded by a monitored host.

Simply click on "Compliance Tracking" under "Packages" and create a new package. Assign the package accordingly.

Then, add the "File Access" object to it. Configure that object for "Track all file access activity" and click the "Configure" button to customize it (this is to filter out unwanted data).

Then simply push the configuration to the target hosts and wait until some file access activity has been generated. You can then view file access tracking data in the web reports under "Compliance -> File Access", similar to here:

The summary page already shows you the data grouped by various properties, such as the user name, but you can click the blue header columns as well to get more detailed reporting.

Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.