We have also looked at Varonis but been deterred by their pricing. A PoC using it with fpolicy pegged our filers at 100% CPU which also put us off.
It is something that I would like to look at again so really interested to hear what others are doing.
-----Original Message-----
From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On Behalf Of Ian Ehrenwald
Sent: 18 October 2018 23:41
To: S. Eno <s.eno@me.com>
Cc: Toasters <toasters@teaparty.net>
Subject: Re: Audit logs for CIFS events
I've been prospected by Varonis sales folks numerous times and never had the time or budget. They are very persistent, I'll give them that.
I guess I'll do some more web searches and if I need to, attempt a roll-my-own. Basil, any chance you could share this potential project with a suitable open source license if you ever get around to doing it?
________________________________________
From: S. Eno <s.eno@me.com>
Sent: Thursday, October 18, 2018 4:48:46 PM
To: Ian Ehrenwald
Cc: Toasters
Subject: Re: Audit logs for CIFS events
We are using Varonis.
> On Oct 18, 2018, at 1:28 PM, Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com> wrote:
>
> Good afternoon
> Is anyone making use of cDOT auditing capabilities on CIFS shares? I've set up a demo implementation to toy around with and the log output leaves something to be desired, in terms of immediate usefulness/understandability. I was hoping for something that I could hand off to an end user when they ask "why did file X get moved to directory Y?".
>
> My demo auditing policy only has file-ops enabled, and the demo share (on NTFS volume) I am testing auditing with has advanced auditing permissions Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, Delete, Change Permissions, and Take Ownership enabled against my demo user.
>
> When I connect to this share as the demo user and create a directory, copy a file into it, create a subdirectory, move the file into this subdirectory, I do indeed get logging events I can view with Windows Event Viewer. Technically auditing is working. However, it is difficult to actually put together a chain of events based on the logged information with just my single user access, nevermind thousands of users across hundreds of shares.
>
> What are other people using to make sense of this audit data? Exporting via XML instead of EVTX and feeding it to.. something? Custom parsers? Spending hours with the awful Event Viewer and filters when your boss's boss wants an explanation for why files moved? :)
>
>
> Ian Ehrenwald
> Senior Infrastructure Engineer
> Hachette Book Group, Inc.
> 1.617.263.1948 / ian.ehrenwald@hbgusa.com
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters<https://protect-us.mimecast.com/s/fn1sC0RoXRU25DomCD6Kwi?domain=teaparty.net>
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters This email is being sent by a subsidiary of Arthur J. Gallagher Holdings (UK) Limited, part of the Arthur J. Gallagher & Co. global group of companies. For details of the registered office, company number and, where applicable, regulated status of our subsidiaries, please visit
https://www.ajginternational.com/legal-regulatory-information/. We are the data controller of any personal information you provide to us or personal information that has been provided to us by a third party. We collect and process information about you in order to arrange insurance policies and to process claims. Your information is also used for business purposes such as fraud prevention and detection and financial management. This may involve sharing your information with third parties such as insurers, reinsurers, other brokers, claims handlers, loss adjusters, credit reference agencies, service providers, professional advisors, our regulators, police and government agencies or fraud prevention agencies.
We may record telephone calls to help us monitor and improve the service we provide. For further information on how your information is used and your rights in relation to your information please see our privacy notice at
https://www.ajginternational.com/Privacy-Policy/. If you are providing personal data of another individual to us, you must tell them you are providing their information to us and show them a copy of this notice.
Where you are obtaining a non-consumer policy of (re)insurance, or cover for additional risks or renewal under an existing policy, you are required to make a fair presentation of the risk to a (re)insurer which discloses every material circumstance which you know or ought to know relating to the risk to be insured. A circumstance is material if it would influence the judgment of a prudent insurer in determining whether to provide insurance for the risk and, if so, on what terms. Disclosure must be reasonably clear and accessible to a prudent insurer and made in good faith. The aforementioned duty of disclosure is the applicable duty under the laws of England and Wales. If your policy is not subject to English law you are expected to disclose risk information in accordance with the requirements of the applicable law. In such circumstances we expect you will disclose risk information at least equal to the standard required under English law and where the applicable law require!
s you to disclose information over and above the level required under English law you will provide such information in accordance with that law.
Where you are obtaining a consumer policy of insurance, you must read each question and answer honestly and fully and must take reasonable care to not make a misrepresentation.
Failure to comply with the above disclosure requirements, as they apply to you, could mean that your policy of (re)insurance is void, its terms are materially altered or that (re)insurers are not liable to pay all or part of your claim(s). If you are in any doubt as to your obligations you should ask your usual contact.
This e-mail and any attachments are CONFIDENTIAL and may contain legally privileged information. If you are not the intended recipient of this e-mail message, please telephone or e-mail us immediately, delete this message from your system and do not read, copy, distribute, disclose or otherwise use this e-mail message and any attachments. Although the above company has taken reasonable precautions to ensure this e-mail and any attachments are free of any virus or other defect that may affect your computer, it is the responsibility of the recipient to ensure that it is virus free and the above company does not accept any responsibility for any loss or damage arising in any way from its use.
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters