IS Decisions logo

IS Decisions Blog

How to see who last accessed or modified your Windows files

Need to find out who last accessed or modified your Windows Files? Get the exact date and time of that last access, and set up alerts on suspicious behaviors.

Published April 23, 2019
How to see who last accessed or modified your Windows files

As an important security and compliance measure, watch how you can easily identify activity on your most sensitive shared files and folders. With FileAudit you can see who last accessed or modified your Windows files. It not only gives you optimal visibility into what is happening to your organization’s data but the opportunity to react quickly to events.

Video thumbnail

Video Transcription

In this video, I’m going to show you how FileAudit can help you to actively monitor accesses on your shared files and folders.

Audit configuration

Here in the console of the FileAudit software, the first thing you do is go to audit configuration and select the most sensitive files and folders on your network that you wish to monitor. From there I can go directly into the File Access Viewer to see in real time all access on the shares that I’ve selected.

Find files last accessed or files last modified

So, I can see the date and time, the file or folder that was accessed or modified, the access type, whether or not it was denied or granted, the user who attempted to access/modify the file, the machine from where the access was made with its client IP address and the server where the file is stored.

File access viewer FileAudit

Denied access activity

I can see easily from here that there are some denied accesses on Accounting and Peopleops some very sensitive folders that contain internal and client data. I can now go ahead and take a closer look at this folder to see who has been accessing it.

Here I can see quickly again that these accesses are denied and they’re by the same user Alice. I can also see that Alice has tried to access these files on separate occasions from different machines.

Because of that, I’m now going to take a closer look at Alice’s overall activity by clicking on her username to bring up a dashboard of all the activity from this user, from the last few days and weeks.

I can see there’s quite a lot of red flags here, once again some denied accesses on sensitive files such as Accounting and Peopleops. I can scroll down further and see all these accesses from all these files and folders that were read at the same time on the same day.

I can see that they happened simultaneously so that can lead me to believe that Alice is selecting a large number of files and copying them to an external drive or possibly to a desktop.

Now that I’ve got this drilled down view of Alice’s accesses I’m going to go ahead and export it into a PDF in case I want to send it to a manager, or in case any other alerts come up with this same user. I’m just going to save Alice’s report as a PDF.

Set alerts on suspicious behavior

The next step that I want to put in place is some proactive alerts in case these kinds of accesses happen again. I go back to the main menu and I’m going to access the alert tab. From here I can create my alerts.

The first thing I can do is create a single access alert for any more denied accesses on those sensitive folders that we saw Accounting and Peopleops. I’m going to give the alert a name “Denied access Alice.” I’m going to select the access status here “denied.” I’ll leave all the access types and I’ll just enter the user Alice.

The next thing I’m going to do is select those two paths that we saw earlier "Accounting and PeopleOps." I’ll add the first one Accounting and then I’m gonna add the second one. Just like that and validate that. I don’t want to exclude any hours from this alert, I want to be alerted 24 hours a day.

The next thing is to add the recipient for the email, the admin, and I’m also going to add a Slack channel where all my admins receive messages so they can see those as well. So now I’ve got that I’m going to save that alert.

The second alert I’m going to set up is going to be a mass access alert for Alice and this is due to the activity we saw on several files or folders being accessed at the same time showing that she could be copying or moving large amounts of data somewhere else.

Mass access alert suspicious file activity

I’m going to call this “Mass access Alice.” I’ll leave the access status and types, I’m just going to add here again our user Alice and I’m going to set a threshold a fairly low threshold. I’m going to say if there are 25 files or folders that are accessed within the span of 30 seconds I’d like this alert to be triggered.

For the monitor paths, I can put everything that’s being audited because, as we saw earlier, these were still accesses that were on files that Alice is allowed to access. Again I’m not going to exclude any hours but I will add the email recipients the same ones as before the admin email and my slack channel that receives all these alerts. So I validate that, I’ve saved that alert and now I’ve got my two alerts set up.

Use file access monitoring to prevent a breach

So that’s how you can use FileAudit to see file accesses on your files or folders, generate reports and set up alerts to be proactive when suspicious behavior is happening on your network.

Thanks for watching.

Try FileAudit for free

3000+ organizations like yours use FileAudit to protect data, prevent ransomware and meet compliance requirements.

Download a free trial