Follow

How To: Set up a Net Filer to produce the audit logs needed for ingest

What is needed is to turn on the NetApp CIFS audit log. These changes will enable the ability to record user activity as they retrieve and store files on the NetApp appliance. Here are some links that may be helpful.

https://kb.netapp.com/support/index?page=content&id=1011243
http://rawtechnology.blogspot.com/2013/05/enable-file-access-auditing-for-windows.html

See second link above for some configuration options:

Audit file access events
options cifs.audit.file_access_events.enable {on | off}
Audit log-on/log-off events
options cifs.audit.logon_events.enable {on | off}
Audit account management events
options cifs.audit.account_mgmt_events.enable {on | off}

Enabling option #1 will allow the analytics to find users that take stuff they don’t normally take.
Enabling option #2 will allow the analytics to find lateral movement as a threat actor explores different environments to see what they have access too.
Enabling option #3 will allow the analytics to see sysadmin accounts when they have been compromised.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk