2017-03-20 06:58 AM
Hello All,
Well I am in a scenario, where there is a requirement to see the logs of the files or directories which are created on any windows system which is integrated with the log decoder.
So to achieve this, what i did that I have enabled the system auditing on that specific directory on the windows machine, but if i refer to the respective logs on the concentrator from investigation pane, then only I would be able to find the logs related to "auditing settings on object were changed" under "Event Description" meta and under that I am only able to see those files & folders details which are already there.
But what I am looking is that, if i add any directory or file and delete any file within the same directory, then the logs should come & I can see them on my concentrator with some basic details like, :
which file has been created & deleted
which folder has been created & deleted
which file has been created & deleted from which user
if any permission get changed on an file or directory
I am looking for some relevant information about any audit change on a specific folder with it's proper windows event id.
Pls suggest that how i could achieve that kind of auditing on a directory with the help of NetWitness.
Hope to hear from you.
Regards,
Deepanshu Sood.
2017-03-25 06:45 PM
Basically you should look for Security Events those are related to object
Windows 560 Object Open
Windows 561 Handle Allocated
Windows 562 Handle Closed
Windows 563 Object Open for Delete
Windows 564 Object Deleted
Windows 565 Object Open (Active Directory)
Windows 566 Object Operation (W3 Active Directory)
Windows 567 Object Access Attempt
So event 564 is straightforward and tells you that something has been deleted by a user,but it doesn't tells you what has been deleted!? Therefore I will try to correlate and tied this event 564 to event 560 because it contains the details of the file.