The Main tab groups the different filters of the Reports rule.
The first step is to define a name that will appear later in its Scheduled report hub tile.
The 'Raw data' switch permits to enable/disable the generation of this report in CSV format.
You can then define different filters, grouped by categories:
The What filters
- Access Status: specify whether the report will be on successful or denied access attempts, or both.
- Object type: specify if the report will display access events on files and/or folders.
Access type: specify the type of access events required to display in the report:
- (Select All): All types of access events will initiate the alert.
- Delete: A user tried to delete a file/folder.
- Ownership: A user tried to take ownership on the file/folder
- Permissions: A user tried to change the permissions on the file/folder.
- Write: A user tried to modify a file.
- Execute: A user tried to execute an executable file.
- Read: A user tried to open a file in ‘Read’ mode.
- System: An attempt to read or write the System Access Control List (SACL), i.e. the audit entries of the file/folder. (Pre-Vista only).
- Write attributes: A user tried to modify a file attribute (like Read-only or Hidden checkboxes).
- Other: Composite events, where an event can be a combination of several access events - e.g. Write and read or Delete and read, etc. (Windows 2003 Server only)
Take note that the event is generated for an attempted access. If a user without enough privileges attempts to delete a file on a monitored folder, you will be alerted of a ‘Delete’ event with a status ‘Denied’.
The Who filters
- Domain: filter accesses for a specific Active Directory domain.
- Group: filter accesses for members of a specific Active Directory group.
- User: filter accesses generated by a specific Active Directory user.
An advanced syntax allows you to exclude or include multiple users in the Group and User fields. See below for more details.
- Groups without users are not allowed (e.g., a group of machines).
- Groups of sub-domains or parent domains are not supported.
- If the service just (re-)started, it needs some time to build the list of groups. As a consequence, during this timelapse, any selection will be denied (generally a matter of seconds).
The Source filters
- Client IP Address: specify the IP address of the machine from which the access has been performed (if the access is performed through the network).
- Client name: specify the name of the machine from which the access has been performed (if the access is performed through the network).
- Process: specify the name of the process generating the access attempt (if the file/folder is accessed locally).
Include or exclude users
User and Group filters can be used to include or exclude users from the results. To include more than one user or group, separate entries with commas. To exclude an user or a group, enter the minus sign before the group name or the user name.
All accesses of Sales and Marketing group members will be displayed.
Accesses of Everyone except Marketing group members will be displayed.
Inclusion + exclusion example
All accesses of Sales group members will be displayed, except for users also members of Managers group.
If there are no common members betweenSales and Managers groups, it will include all Sales members. If all members of Sales are members of Managers, no data will be displayed.