Access Reports

FileAudit offers a set of predefined reports on file and folder access events, based on access types.

• All access events
  All events, without predefined filter
• Audited paths
  Quick filtering on one or more precise paths
• Windows servers
  All events from Windows servers
• Cloud Storage Providers
  All events from cloud storage (add-on Cloud required)
• File and folder changes
  All events of type Delete, Write, Write attributes, System, Permissions and Appropriation
• File rename
  All file rename events
• File moves
  All move events
• Files read
  All read events
• Files writes
  All write events
• Deleting files and folders
  All deletion events
• File executions
  All execution events

Denied accesses reports

FileAudit also offers reports on denied access:

• All denied access
• Denied file reads
• Denied file writings
• Denied deletions

Filters

To access the access report filter and perform a search action, click the "Filters" button. The filter form will appear. Select your criteria and apply the filter.

If filters are applied, the "Filters" button will indicate the number of filters applied.

The Server & Path filters

• Server: Display events from a specific server. All your audited Windows & Cloud servers will appear in this list. The Auto mode will automatically resolve the server if a path is entered.
• Object type: You can display events on files and/or folders.
• Path: You can display events on files and/or folders. Take note:
  • The ‘Path(s)’ field of the ‘Filter’ supports ‘*’ (any string) and ‘?’ (any character) wild characters.
  • If you enter a file/folder path not currently monitored, FileAudit will detect and propose that the audit configuration be set up via its wizard. Follow the different steps to configure the NTFS audit for this new path.
  • The multi paths selection is possible in the 'Path' field of the filter. First select 'Auto 'in the Server Box then you can write several paths, separated by ',' in the Edit Box of the Path.

The What filters

• Access type: Choose the desired access type(s). Read the full list of access types here.

The Who filters

• Domain: You can display events for a specific domain by typing its netbios name.
• Group: You can display events for members of a specific Active Directory group.
• User: You can display events for a specific Active Directory user.

An advanced syntax allows you to exclude or include multiple users in the Group and User fields. See below for more details.

Please note:

• Groups without users are not allowed (e.g., a group of machines).
• Groups of sub-domains or parent domains are not supported.
• If the service just (re-)started, it needs some time to build the list of groups. As a consequence, during this timelapse, any selection will be denied (generally a matter of seconds).

The Source filters

• Client IP Address: This allows you to specify the IP address of the machine from which the access has been performed (if the access is performed through the network).
• Client name: This allows you to specify the name of the machine from which the access has been performed (if the access is performed through the network).
• Process: This allows you to specify the name of the process generating the access attempt (if the file/folder is accessed locally - i.e. on the machine hosting the file/folder).

You can reset all filter configuration options to default by clicking on the 'Reset' button.

Include or exclude users

User and Group filters can be used to include or exclude users from the results. To include more than one user or group, separate entries with commas. To exclude an user or a group, enter the minus sign before the group name or the user name.

Status bar

The status bar indicates which filters are enabled for the current view. Furthermore, if you re-open the Filter display, your previously selected filter criteria will still be visible:

• Reporting
  • Summary reports
  • Access reports
  • Permissions reports
  • Detailed views by user or path
  • Print or export a report
  • Favorite Reports