Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > Monitor when a user tries to access a file for which they don't have permissions

Monitor when a user tries to access a file for which they don't have permissions

Table of contents
Created by Jason Dee, last modified by Jason Dee on Dec 07, 2016

Views: 86 Votes: 0 Revisions: 6

Overview

This article details how to audit events where a user tries to open a file or folder they have been denied access to.

Environment

All versions of LEM 

Detail

Due to the nature of Windows auditing, finding events for this specific scenario can be tricky. Try searching or creating a rule with the following conditions:

 

 

Note: To actually generate these events, your Windows Audit Policy must be monitoring Failures for the File System and Handle Manipulation subcategories. You will also need to adjust the auditing on the files/folders in question to montior failures for File Execution.

 

 

Last modified
16:15, 7 Dec 2016

Tags

Classifications

Public