1

Apologies if this question has already been asked and answered. A very cursory search didn’t turn up any results.

I have a trial version of Netwrix Auditor monitoring a single file server (all shares). It seems to be logging these actions as expected: Added, Modified, Removed.

However, if I search specifically for “Read” no data is returned. I don’t know if this is a misconfiguration on my part or what seems like a pretty serious omission in the out-of-the-box setup. Is there anything particular I should be looking at to enable logging on file read activity?

I’d like to set up an alert for mass “read” events (such as might occur in the early data exfiltration stages of a ransomware attack.

6 Spice ups
2

Only moments after posting this question I may have already answered it. Under the data source options in monitoring plans, changes are selected by default while read access is not. I’ve modified my plan and will post back if it works.

2 Spice ups
3

Read access is probably going to be very…chatty…hopefully you’re not getting email alerts every time someone reads a file!

4

Yes, and I may turn it off again after testing a while. I intend to set my alert threshold high enough to avoid unnecessary notifications. Without read events being monitored though it seems like I’d miss someone reading say, 2000 files in a span of 10 minutes.

1 Spice up
5

Okay, I can confirm that this was a simple case of checking the appropriate option under “Specify actions for monitoring”.

However, this also caused an unacceptable performance hit on that (admittedly older) file server so I’ve disabled it again.

1 Spice up
6

Yeah, that’s the other thing about reporting every read-job…it’s going to have super-high overhead. Hopefully, you can do your functionality testing then turn it off, or at least set a threshold (something like you suggest, 2k hits in x-time by the same user, send alert). If you can’t get alerting set to a threshold instead of event, you might have to leave it turned off.