Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor when a user tries to access a file for which they don't have permissions

Monitor when a user tries to access a file for which they don't have permissions

Table of contents
Created by Jason Dee, last modified by Abdul.Aziz on Jan 02, 2019

Views: 1,414 Votes: 0 Revisions: 7

updated 2nd Jan 2019

Overview

This article details how to configure a LEM Email alert for audit event where a user tries to open a file or folder that they do not have access to. Where accessing the file/folder will through Access Denied Error in Windows Explorer.

Environment

  • All versions of LEM

Detail

Due to the nature of Windows File auditing, finding events for this specific scenario can be tricky.  Below steps are generic and this is not the only filter conditions you can use.

  1. You may first want to check for the FileAuditFailure Event details via Monitor Tab by setting filter specific for this event type.
  2. Next, highlight the event and find the event details at bottom right pane. Not all Events may have fields and values matching the data. A sample Event may have data like below, whereas some Fields may not be the same in your case due to OS version and Auditing policies etc.
  3. Always start with one condition and once the rule starts to fire, build additional filter conditions like below.

 

 

Note: To actually generate these events, your Windows Audit Policy must be monitoring Failures for the File System and Handle Manipulation subcategories. You will also need to adjust the auditing on the files/folders in question to monitor failures for File Execution.

 

Refer to  Troubleshoot LEM rules that are not sending emails or not firing for the general Rule troubleshooting guide, which applies to every type of rule not firing.

 

 

Last modified

Tags

Classifications

Public