File access alert based on file name.
I'm trying to configure an alert for file access to a specific file by anyone other than a specific user. I'm using Security_560_Security as the message to alert on. I'm having trouble determining what variable to use for the file name. The way it is listed in the message is "Object Name: <misc_name>." However, when I use Miscellaneous Name as the variable, and the file location as the value, I don't get any results. None of the other variables seem to be right.
where misc_name in ('\XXX\XXXX\XXXX\xxx.txt') and Client User Name not in ('username')
thanks for your help.
You're on the right track - the 'misc_name' variable should be your target.
Remember that reports and alerts can be case-sensitive, and also that there are many versions of some messages, to ensure support for the various Windows versions.
You may want to run a test query (from the Global or Windows Accounting table) to locate a sample event.
In the "Message ID" field for the query use LIKE 'Security_560%' to ensure that you're capturing the right messageID, and use LIKE '%txt' in the "misc_name" column.
Once you've nailed it, you can copy\paste the values into your rule.
Also, can you provide the version of enVision that you're running?
I'm not to sure if you get a Message ID as default from Windows for actions performed on a file.
What you can do is setup Windows Auditing on those specific files / folders. Then anything that happens to these files / folders will come under Message ID "4656" for Windows 2008 and "560" for Windows 2003