[prev in list] [next in list] [prev in thread] [next in thread] 

List:       toasters
Subject:    
From:       "S. Eno via Toasters" <toasters () teaparty ! net>
Date:       2018-10-18 20:48:53
Message-ID: mailman.197.1539895731.9337.toasters () teaparty ! net
[Download RAW message or body]

Received: from st11p00im-asmtp004.me.com (st11p00im-asmtp004.me.com
	[17.172.80.98])
	by lory.teaparty.net (8.14.4/8.14.4) with ESMTP id w9IKmn9m018942
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128
	verify=NO)
	for <toasters@teaparty.net>; Thu, 18 Oct 2018 21:48:49 +0100
Received: from process-dkim-sign-daemon.st11p00im-asmtp004.me.com by
	st11p00im-asmtp004.me.com
	(Oracle Communications Messaging Server 8.0.2.2.20180531 64bit (built
	May 31 2018)) id <0PGT00I00AA25400@st11p00im-asmtp004.me.com> for
	toasters@teaparty.net; Thu, 18 Oct 2018 20:48:48 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=04042017;
	t=1539895728; bh=QUwJBSplVweQ/LN+i6Z1RIC8rqzT8P0W+0VQZ4IDdWs=;
	h=Content-type:MIME-version:Subject:From:Date:Message-id:To;
	b=mftVB6wIoxEkU5H2dnUv8e/oLkEvXqTVvhUnUep4zcY0HQ9R8DmrcEL8lJk3OOd1v
	QOuTCb6peXFj4FWWHWufJvp2VffMS2TVpKiRbDg4t6dZIEGXFQ4/2OJJc4gu01AfH/
	nY9Krl3SQrJe2Cxjk5/qc8Uohv4uOjUWnE5gb04qsO8ou9nV2xip1ymptuMvBsxTQ3
	mquXm6GPUsJy7bQtrn5nl+wqhMxeNv+l3NIT5gu3pvqiTbs+VxYxisbdhdJf38buQj
	UR8KKi23Yrtc16glDuB7vk2PoQvYVV9lkvTpwYkNAR9wWdlnn8jVb+VBPRzPnAkovx
	W0X/5Q19UFfOQ==
Received: from icloud.com ([127.0.0.1]) by st11p00im-asmtp004.me.com
	(Oracle Communications Messaging Server 8.0.2.2.20180531 64bit (built
	May 31
	2018)) with ESMTPSA id <0PGT00DSFB5A0R30@st11p00im-asmtp004.me.com>;
	Thu, 18 Oct 2018 20:48:47 +0000 (GMT)
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0
	malwarescore=0 phishscore=0 bulkscore=0 spamscore=0
	clxscore=1011 mlxscore=0
	mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
	scancount=1
	engine=8.0.1-1807170000 definitions=main-1810180174
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
	definitions=2018-10-18_10:,, signatures=0
Content-type: text/plain; charset=us-ascii
MIME-version: 1.0 (1.0)
Subject: Re: Audit logs for CIFS events
From: "S. Eno" <s.eno@me.com>
X-Mailer: iPad Mail (16B5084a)
In-reply-to: <DB6PR0802MB245510ECB2B39CFF21D8F4C39DF80@DB6PR0802MB2455.eurprd08.prod.outlook.com>
                
Date: Thu, 18 Oct 2018 16:48:46 -0400
Cc: Toasters <toasters@teaparty.net>
Message-id: <D4152D2C-50AB-4EF1-A1DD-5A3C584B0CC0@me.com>
References: <DB6PR0802MB245510ECB2B39CFF21D8F4C39DF80@DB6PR0802MB2455.eurprd08.prod.outlook.com>
                
To: Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com>
X-SPF-Scan-By: smf-spf v2.0.2 - http://smfs.sf.net/
Received-SPF: Pass (lory.teaparty.net: domain of s.eno@me.com
	designates 17.172.80.98 as permitted sender)
	receiver=lory.teaparty.net; client-ip=17.172.80.98;
	envelope-from=<s.eno@me.com>; helo=st11p00im-asmtp004.me.com;
X-Greylist: Recipient e-mail whitelisted, not delayed by
	milter-greylist-4.5.12 (lory.teaparty.net [178.18.123.145]);
	Thu, 18 Oct 2018 21:48:50 +0100 (BST)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by lory.teaparty.net id
	w9IKmn9m018942

We are using Varonis.



> On Oct 18, 2018, at 1:28 PM, Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com> wrote:
> 
> Good afternoon
> Is anyone making use of cDOT auditing capabilities on CIFS shares?  I've set up a \
> demo implementation to toy around with and the log output leaves something to be \
> desired, in terms of immediate usefulness/understandability.  I was hoping for \
> something that I could hand off to an end user when they ask "why did file X get \
> moved to directory Y?". 
> My demo auditing policy only has file-ops enabled, and the demo share (on NTFS \
> volume) I am testing auditing with has advanced auditing permissions Create \
> Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, Delete, \
> Change Permissions, and Take Ownership enabled against my demo user.   
> When I connect to this share as the demo user and create a directory, copy a file \
> into it, create a subdirectory, move the file into this subdirectory, I do indeed \
> get logging events I can view with Windows Event Viewer.  Technically auditing is \
> working.  However, it is difficult to actually put together a chain of events based \
> on the logged information with just my single user access, nevermind thousands of \
> users across hundreds of shares. 
> What are other people using to make sense of this audit data?  Exporting via XML \
> instead of EVTX and feeding it to.. something?  Custom parsers?  Spending hours \
> with the awful Event Viewer and filters when your boss's boss wants an explanation \
> for why files moved? :) 
> 
> Ian Ehrenwald
> Senior Infrastructure Engineer
> Hachette Book Group, Inc.
> 1.617.263.1948 / ian.ehrenwald@hbgusa.com
> 
> 
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters



_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic