File server

This tutorial is your guide to understanding and implementing effective file server monitoring and securing techniques using EventLog Analyzer.

Before diving into audit reports and activating detection rules, it's crucial to establish a solid monitoring foundation for your file server. This involves configuring logging settings and integrating them seamlessly with the EventLog Analyzer console.

Throughout this tutorial, we'll focus on practical strategies for monitoring your file server, helping you detect anomalies and track file access patterns to maintain data integrity.

Securing Windows and Linux file servers: A log-based approach with EventLog Analyzer

EventLog Analyzer covers the below file server auditing use cases with its security auditing reports. These reports are predefined and can be scheduled to be generated at specific times and distributed over email. EventLog Analyzer supports file servers on both Windows and Linux platforms.

Use Case Description Why implement? Available Reports
Windows File Monitoring Track user interactions, file modifications, and access attempts, both in real time and retrospectively. Detect suspicious behavior, prevent unauthorized access, and maintain the integrity of your critical data assets. Enhance security, facilitate auditing, and ensure compliance by keeping tabs on file access, modification, deletion, and creation.
  • All File Monitoring
  • File Created
  • File Modified
  • File Deleted
  • File Renamed
  • File Permission Changes
  • Top file operations based users
  • Top file operations based devices
  • Top file operations based files
Linux File Monitoring Use various system-level mechanisms and tools to observe and analyze changes occurring within the Linux file system. Implement file monitoring on a Linux system to ensure security, compliance, integrity, incident response, proactive maintenance, and auditing.
  • All File Monitoring
  • File Created
  • File Modified
  • File Deleted
  • File Renamed
  • File Permission Changes
  • System File Changes
  • Top file operations based users
  • Top file operations based devices
  • Top file operations based files

Threat detection use cases

The table below outlines the preconfigured threat detection scenarios supported for the file server platform through EventLog Analyzer. Additionally, our solution provides a customizable correlation rule builder, empowering users to craft their own detection rules.

Use Case Event Type Relevant MITRE ATT&CK TTPs Detection Rules
Unexpected Access Loss Microsoft-Windows-Security-Auditing - 4670
  • ID: T1531
  • Tactic: Impact
  • File Permission Changes
  • Correlation Reports > File integrity threats > Multiple file permission changes
Accidental File Deletions Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670
  • ID: T1070.004
  • Sub-technique of: T1070
  • Tactic: Defense Evasion
  • File Deleted
  • Correlation Reports > File integrity threats > Excessive file removal
Malware detection (both commodity and targeted attacks) Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670
  • ID: T1204.002
  • Sub-technique of: T1204
  • Tactic: Execution
 All File Monitoring Reports
File Tampering Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670
  • ID: T1565
  • Sub-techniques: T1565.001, T1565.002, T1565.003
  • Tactic: Impact
  • File Modified
  • Correlation Reports > File integrity threats > Suspicious file access
Ransomware Detection Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670
  • ID: T1486
  • Tactic: Impact
 Correlation Reports > File integrity threats > Possible ransomware activities

Data security use cases

The below table elaborates the data security use cases covered by EventLog Analyzer for file server platforms.

Use case Event type Relevant MITRE ATT&CK TTPs Detection rules
Pre-Departure Data Exfiltration Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670
  • ID: T1048
  • Sub-techniques: T1048.001, T1048.002, T1048.003
  • Tactic: Exfiltration
  • Top file operations based on users
  • Removable Device Auditing
Sensitive Data Auditing Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670 ID: M0941 This can be achieved by adding custom reports with the criteria Access equals object accessed
Data Sabotage Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670
  • ID: T1485
  • Tactic: Impact
  • File Deleted
  • Correlation Reports > File integrity threats > Excessive file removal
Data Breach Prevention Microsoft-Windows-Security-Auditing - 560, 562, 564, 567, 4656, 4658, 4660, 4663, 5145, 4670 ID: M0803 All File Monitoring Reports

Compliance

Most regulatory mandates require organizations to deploy file monitoring solutions to track file access and modifications, and ensure data security and integrity. The below table illustrates how EventLog Analyzer can help you meet compliance use cases. For detailed solution mapping, check out this space.

Compliance requirement: Solution mapping for file server platform

EventLog Analyzer reports and alerts Detection rules Regulatory mandates Requirements
  • File Changes
  • File Created
  • File Modified
  • File Deleted
  • File Renamed
  • File Permission Changes
  • Multiple file permission changes
  • Excessive file removal
  • Suspicious file access
  • Possible ransomware activities
  • Excessive file removal
 FISMA Audit and Accountability (AU)
PCI-DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.3
  • PCI-DSS requirements 10.2.7
SOX SEC 302 (a) (5) (A)
HIPAA 164.308 (a) (1) (ii) (D)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 12.4.2
ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1D)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1D)
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.7
  • ACT C.4.3
CCPA and CPRA Section 1798.150.(a)
FERPA Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
POPIA
  • Chapter 3 - Section 20 (1) (b)
  • 4.2 Application Security Service
  • 6.8.3 Data at rest
QCF
  • 4.2 Application Security Service
  • 6.8.3 Data at rest
TISAX 5.2.4
CJDN Application Development
UAE-NESA
  • T3.2.3
  • T7.5.1
  • T7.6.1
SOC 2
  • 5.2.02
  • 7.2.02
  • 8.1.14
  • C1.1.02
  • File Changes Audit
  • AWS Accessed Files
  • AWS Deleted Files
  • AWS Created Or Modified Files
  • Multiple file permission changes
  • Excessive file removal
  • Suspicious file access
  • Possible ransomware activities
  • Excessive file removal
FISMA Audit and Accountability (AU)
PCI DSS
  • PCI DSS requirement 10.1
  • PCI DSS requirement 10.2.1
  • PCI DSS requirement 10.2.2
  • PCI DSS requirement 10.2.3
  • PCI DSS requirement 10.2.7
HIPAA 164.308 (a) (1) (ii) (D)
ISO 27001:2013
  • Control A 12.4.1
  • Control A 12.4.2
GPG
  • Recording on Internal Workstation, Server or Device Status (PMC Rule 4)
  • Reporting on The Status of The Audit System (PMC Rule 10)
ISLP ARTICLE 12
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.7
  • ACT C.4.3
COCO 1.D.Protective monitoring and intrusion detection
CCPA and CPRA Section 1798.150.(a)
FERPA Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
CMMC
  • C007 - AU.2.041
  • C013 - CM.2.061
POPIA
  • Chapter 2 - Section 4
  • Chapter 3 - Section 19 (1) (a)
  • Chapter 3 - Section 19 (2) (a)
QCF
  • 6.8.3 Data at rest
  • 15.2 Cloud assets security hardening service
SOC 2
  • 5.2.02
  • 5.2.03
  • 8.1.14
 

Additional Resource

Configuring file integrity monitoring in EventLog Analyzer