Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Monitor when a user tries to access a file for which they don't have permissions

Monitor when a user tries to access a file for which they don't have permissions

Table of contents
Created by Jason Dee, last modified by Jason Dee on Dec 07, 2016

Views: 161 Votes: 0 Revisions: 6

Overview

This article details how to audit events where a user tries to open a file or folder they have been denied access to.

Environment

All versions of LEM 

Detail

Due to the nature of Windows auditing, finding events for this specific scenario can be tricky. Try searching or creating a rule with the following conditions:

 

 

Note: To actually generate these events, your Windows Audit Policy must be monitoring Failures for the File System and Handle Manipulation subcategories. You will also need to adjust the auditing on the files/folders in question to montior failures for File Execution.

 

 

Last modified

Tags

Classifications

Public