FileAudit offers a set of predefined reports on file and folder access events, based on access types.
- All access events
All events, without predefined filter
- Audited paths
Quick filtering on one or more precise paths
- Windows servers
All events from Windows servers
- Cloud Storage Providers
All events from cloud storage (add-on Cloud required)
- File and folder changes
All events of type Delete, Write, Write attributes, System, Permissions and Appropriation
- File rename
All file rename events
- File moves
All move events
- Files read
All read events
- Files writes
All write events
- Deleting files and folders
All deletion events
- File executions
All execution events
Denied accesses reports
FileAudit also offers reports on denied access:
- All denied access
- Denied file reads
- Denied file writings
- Denied deletions
To access the access report filter and perform a search action, click the "Filters" button. The filter form will appear. Select your criteria and apply the filter.
If filters are applied, the "Filters" button will indicate the number of filters applied.
The Server & Path filters
- Server: Display events from a specific server. All your audited Windows & Cloud servers will appear in this list. The Auto mode will automatically resolve the server if a path is entered.
- Object type: You can display events on files and/or folders.
- Path: You can display events on files and/or folders. Take note:
- The ‘Path(s)’ field of the ‘Filter’ supports ‘*’ (any string) and ‘?’ (any character) wild characters.
- If you enter a file/folder path not currently monitored, FileAudit will detect and propose that the audit configuration be set up via its wizard. Follow the different steps to configure the NTFS audit for this new path.
- The multi paths selection is possible in the 'Path' field of the filter. First select 'Auto 'in the Server Box then you can write several paths, separated by ',' in the Edit Box of the Path.
The What filters
- Access type: Choose the desired access type(s). Read the full list of access types here.
The Who filters
- Domain: You can display events for a specific domain by typing its netbios name.
- Group: You can display events for members of a specific Active Directory group.
- User: You can display events for a specific Active Directory user.
An advanced syntax allows you to exclude or include multiple users in the Group and User fields. See below for more details.
- Groups without users are not allowed (e.g., a group of machines).
- Groups of sub-domains or parent domains are not supported.
- If the service just (re-)started, it needs some time to build the list of groups. As a consequence, during this timelapse, any selection will be denied (generally a matter of seconds).
The Source filters
- Client IP Address: This allows you to specify the IP address of the machine from which the access has been performed (if the access is performed through the network).
- Client name: This allows you to specify the name of the machine from which the access has been performed (if the access is performed through the network).
- Process: This allows you to specify the name of the process generating the access attempt (if the file/folder is accessed locally - i.e. on the machine hosting the file/folder).
You can reset all filter configuration options to default by clicking on the 'Reset' button.
Include or exclude users
User and Group filters can be used to include or exclude users from the results. To include more than one user or group, separate entries with commas. To exclude an user or a group, enter the minus sign before the group name or the user name.
All accesses of Sales and Marketing group members will be displayed.
Accesses of Everyone except Marketing group members will be displayed.
Inclusion + exclusion example
All accesses of Sales group members will be displayed, except for users also members of Managers group.
If there are no common members betweenSales and Managers groups, it will include all Sales members. If all members of Sales are members of Managers, no data will be displayed.
The status bar indicates which filters are enabled for the current view. Furthermore, if you re-open the Filter display, your previously selected filter criteria will still be visible: