Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > How File Integrity Monitor (FIM) handles actions performed on a network share

How File Integrity Monitor (FIM) handles actions performed on a network share

Created by Seamus.Enright, last modified by MindTouch on Jun 23, 2016

Views: 1,529 Votes: 2 Revisions: 7

Overview

This article describes how File Integrity Monitor (FIM) handles actions performed on a network share. 

Environment

All versions of LEM

Details

The current version of KD (SWFsFltr.sys v1.1.0.12) handles actions performed on network share in a following way:

 

Action

SourceAccount in invoked event

FILE Create

User which performed action

FILE Read

NT AUTHORITY \ SYSTEM

FILE Write

User & NT AUTHORITY \ SYSTEM (one event from user + several from System)**

!IMPORTANT: some applications invoke SYSTEM user events only!

FILE Delete

User which performed action

DIR Create

User which performed action

DIR Delete

User which performed action

DIR Read*

NT AUTHORITY \ SYSTEM

Permissions (ACL) Read

User & NT AUTHORITY \ SYSTEM

Permissions (ACL) Write

User which performed action

Metadata Read

User & NT AUTHORITY \ SYSTEM

Metadata Write

User which performed action

Note: "Meta writes" follow "File writes" closely,

use this to keep track of username when only SYSTEM user'ed "File writes" are generated by OS

Notes:

  • DIR Read events received by setting File Read op in Connector.
  • Depending on the application used to update file, some tend to invoke at least one user addressed events (notepad++), others spawn SYSTEM exclusively (e.g paint).

 

 

 

Last modified

Tags

Classifications

Public