FileAudit Documentation
FileAudit Documentation
You are here: Reference > Advanced > Database reference

Database reference

FA_Events table.

The FileAudit database contains two tables. The first table is named FA_Events. The following fields are available in the table:

Name

Type

Description

Computer

String

NetBIOS name of the computer where the audited file/folder is located.

FileName

String

Path of the audited file/folder.

UserAccount

String

User account that accessed the file/folder.

DomainName

String

Domain of the user account that accessed the file/folder.

Process

String

Process used to access the file/folder. This field is only available if the access is made locally.

Accepted

Number

1 = Allowed / 0 = Rejected

AccessRights

Number

Rights used to access the file/folder. See Appendix 1.

Privileges

Number

Privileges used to access the file/folder. See Appendix 2.

AccessId

Number

Access operation determined by FileAudit. See Appendix 3.

RecordNumber

Number

Event record number in the Microsoft Windows Security log.

EventTime

DateTime

Local Date & time of the file/folder access.

EventLocalTime

DateTime

Field to ignore. Do not use.

ObjectType

Number

0 = Unknown / 1 = Folder / 2 = File

ClientAddress

String

Reserved field for future use.

LogonId

String

Logon ID of the user access token used to access the file/folder.

Id

Number

Primary key automatically incremented for every new record.

FA_LastEvents table.

This second table is used internally by FileAudit to know which events have not yet been scanned. This allows FileAudit to scan only new events.

Name

Type

Description

Computer

String

NetBIOS name of the computer where the audited file/folder is located.

RecordNumber

Number

Event record number of the last event scanned by FileAudit from Microsoft Windows Security log.

EventTime               

DateTime

Date and time (UTC) of the last event scanned by FileAudit from Microsoft Windows Security log.

Appendix 1 - AccessRights

AccessRights field is a combination of bits described in the grid as follows.

To exploit this specific field, you need to do a bit of extraction.

 

Bit

Flag

Description

0

FILE_READ_DATA

List folder / read data

1

FILE_WRITE_DATA

Create files / write data

2

FILE_APPEND_DATA

Create folders / append data

3

FILE_READ_EA

Read extended attributes

4

FILE_FILE_WRITE_EA

Write extended attributes

5

FILE_EXECUTE

Traverse folder / execute file

7

FILE_READ_ATTRIBUTES

Read attributes

8

FILE_WRITE_ATTRIBUTES

Write attributes

16

DELETE

Delete

17

READ_CONTROL

Read permissions

18

WRITE_DAC

Change permissions

19

WRITE_OWNER

Take ownership

20

SYNCHRONIZE

24

ACCESS_SYSTEM_SECURITY

Appendix 2 - Privileges

Bit

Privilege

Description

5

SeSecurityPrivilege

6

SeTakeOwnershipPrivilege

14

SeBackupPrivilege

15

SeRestorePrivilege

Appendix 3 - AccessId

Identifier

Operation

Description

0

Delete

The file/folder was deleted, moved or renamed.

1

Ownership

A user took the ownership on this file/folder.

2

Permissions

A user changed permissions on this file/folder.

3

Write

The file was opened in write mode.

4

Execute

The file is an executable and was executed by a user.

5

Read

The file was opened in read mode

6

System

An attempt was made to read or write the system access control list of the file/folder. Typically this event just means that a user displayed properties on the file/folder using the Windows Explorer.

7

Write Attributes

A file attribute has been changed.