ProTip – Utilizing STEALTHbits to Move Away from Relying on Native File System Logging

ProTip – Utilizing STEALTHbits to Move Away from Relying on Native File System Logging

If you have been following our 4 part blog series, “Challenges with Relying on Native File System Logging” you have seen some of the many challenges of auditing and collecting file activity natively. The blog series is also going to be followed by an awesome webinar. If you haven’t seen any of the blog posts be sure to check them out:

In this month’s Pro-Tip, we will walk through how you can utilize STEALTHbits File Activity Monitor to trim down on those noisy events from native logging and also how you could analyze these events through other exits.

Our activity monitor, formally known as the STEALTHbits Activity Monitor allows you not to rely on any of those challenges with native logging anymore. Specifically, some of the challenges include in-depth auditing and searching, recognizing permission changes, and the noise that accompanies enabling auditing natively. For example, the following scenario called out in our blog series was:

  1. A user opens a Microsoft Word document on a file share
  2. The user edits the document
  3. The user saves and closes the document
Table 1: Number of Windows events by event ID generated when opening, editing, saving and closing a Word document.

The number of events from this simple scenario really proves how noisy native logging can be and with a lot of noise – it is hard to search for meaningful events and drive true analytics. If you have been a user of our STEALTHbits Activity Monitor, you know already how consolidated the events come in and how you have the flexibility to customize what file activity events you are monitoring and where they end up. What is great about our activity monitor is that you can manage all of your platforms (Windows, NetApp, EMC, etc.) from one single utility and customize your operations, account exclusions and even path filtering.

Some of our customers leveraging the activity monitor even save on monthly SIEM costs by switching over from native logging! Platforms like Qradar and Splunk already have STEALTHbits pre-defined dashboards available on their app stores for you to implement seamlessly.

While the utility does have a search capability, most of our users are leveraging this data in meaningful reports from StealthAUDIT or are doing more real-time analytics using StealthDEFEND. In either case, the monitor will give you more context around those permission changes inside of your environment and you will see consolidated events coming into compared to all the noise you would see auditing native logs. Pulling quick searches on a user’s file activity or activity on a share makes you feel at ease while doing an investigation into suspicious activity or finding out what happened in certain scenarios. As mentioned before, a number of our platforms can help extend the capabilities of our STEALTHbits Activity Monitor into a user-friendly interface that can drive real-time analytics and reporting.

Interested in moving away from those frustrating native logs? Check out our STEALTHbits Activity Monitor and see how you can leverage our tool to improve file activity monitoring like all of our awesome current customers!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.