Audit Message Workflows
This section shows expected audit messages for typical file action work flows to assist with auditing applications and user file access.
The Turbo audit workflows cover tested file actions with Turbo Audit enabled. This is the default configuration.
- Audit Message Workflows with Turbo Audit - SMB
- SMB (Turbo Audit): Create a File
- SMB (Turbo Audit): Rename a File
- SMB (Turbo Audit): Write to a File
- SMB (Turbo Audit): Delete a File
- SMB (Turbo Audit): Create a Folder
- SMB (Turbo Audit): Delete a Folder
- SMB (Turbo Audit): Rename a Folder
- SMB (Turbo Audit): Set ACL of a file
- SMB (Turbo Audit): Set ACL of a Directory
- SMB (Turbo Audit): User with Read-Only ACL open a File
- Audit Message Workflows with Turbo Audit - NFS
- NFS (Turbo Audit): Create a File
- NFS (Turbo Audit): Rename a File
- NFS (Turbo Audit): Write to a File
- NFS (Turbo Audit): Delete a File
- NFS (Turbo Audit): Create a Folder
- NFS (Turbo Audit): Delete a Folder
- NFS (Turbo Audit): Rename a Folder
- NFS (Turbo Audit): Modify ACL of a file
- NFS (Turbo Audit): Modify ACL of a Directory
Audit Message Workflows with Turbo Audit - SMB
WorkFlow Description | File Audit messages Expected |
SMB (Turbo Audit): Create a File | S_FILE_CREATE ..\parent_dir\desktop.ini FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name FILE_WRITE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\ DIR_OPEN ..\parent_dir\ FILE_CREATE ..\parent_dir\dir_name\file_name |
SMB (Turbo Audit): Rename a File | S_FILE_CREATE ..\parent_dir\desktop.ini DIR_CLOSE ..\parent_dir\ FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_RENAME ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\ FILE_CLOSE ..\parent_dir\dir_name\file_name |
SMB (Turbo Audit): Write to a File | FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name FILE_WRITE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\ DIR_OPEN ..\parent_dir\ FILE_READ ..\parent_dir\dir_name\file_name FILE_OPEN_WRITE ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\ DIR_OPEN ..\parent_dir\ FILE_READ ..\parent_dir\dir_name\file_name FILE_OPEN_WRITE ..\parent_dir\dir_name\file_name |
SMB (Turbo Audit): Delete a File | S_FILE_CREATE ..\parent_dir\desktop.ini FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_DELETE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\ DIR_OPEN ..\parent_dir\ |
SMB (Turbo Audit): Create a Folder | S_FILE_CREATE ..\parent_dir\desktop.ini DIR_CLOSE ..\parent_dir\dir_name\new_dir_name DIR_CREATE ..\parent_dir\dir_name\new_dir_name |
SMB (Turbo Audit): Delete a Folder | S_FILE_CREATE ..\parent_dir\desktop.ini DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_DELETE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name |
SMB (Turbo Audit): Rename a Folder | S_FILE_CREATE ..\parent_dir\desktop.ini DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_RENAME ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name |
SMB (Turbo Audit): Set ACL of a file | FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_SET_ACL ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name |
SMB (Turbo Audit): Set ACL of a Directory | DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_SET_ACL ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name S_FILE_CREATE ..\parent_dir\desktop.ini DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_CREATE ..\parent_dir\dir_name\current_dir_name |
SMB (Turbo Audit): User with Read-Only ACL open a File | FILE_CLOSE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\dir_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_OPEN_NOACCESS ..\parent_dir\dir_name\file_name FILE_OPEN_READ ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name S_FILE_CREATE ..\parent_dir\dir_name\desktop.ini |
Audit Message Workflows with Turbo Audit - NFS
WorkFlow Description | File Audit messages Expected |
NFS (Turbo Audit): Create a File | DIR_CLOSE ..\parent_dir\dir_name FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name FILE_WRITE ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_CREATE ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Rename a File | DIR_CLOSE ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name FILE_RENAME ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Write to a File | DIR_CLOSE ..\parent_dir\dir_name FILE_DELETE ..\parent_dir\dir_name\file_name.swp FILE_DELETE ..\parent_dir\dir_name\file_name~ FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name FILE_SET_ACL ..\parent_dir\dir_name\file_name FILE_WRITE ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_CREATE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\dir_name FILE_RENAME ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\dir_name FILE_DELETE ..\parent_dir\dir_name\tempfile FILE_SET_ACL ..\parent_dir\dir_name\tempfile FILE_CLOSE ..\parent_dir\dir_name\tempfile FILE_SET_ACL ..\parent_dir\dir_name\tempfile FILE_CLOSE ..\parent_dir\dir_name\tempfile FILE_CLOSE ..\parent_dir\dir_name\tempfile FILE_CREATE ..\parent_dir\dir_name\tempfile FILE_CLOSE_MODIFIED ..\parent_dir\dir_name\file_name.swp FILE_CLOSE ..\parent_dir\dir_name\file_name.swp FILE_SET_ACL ..\parent_dir\dir_name\file_name.swp FILE_WRITE ..\parent_dir\dir_name\file_name.swp FILE_CLOSE ..\parent_dir\dir_name\file_name.swp FILE_SET_ACL ..\parent_dir\dir_name\file_name.swp FILE_CLOSE ..\parent_dir\dir_name\file_name.swp FILE_CREATE ..\parent_dir\dir_name\file_name.swp FILE_DELETE ..\parent_dir\dir_name\file_name.swp FILE_DELETE ..\parent_dir\dir_name\file_name.swx FILE_CLOSE ..\parent_dir\dir_name\file_name.swx FILE_SET_ACL ..\parent_dir\dir_name\file_name.swx FILE_CLOSE ..\parent_dir\dir_name\file_name.swx FILE_CREATE ..\parent_dir\dir_name\file_name.swx FILE_CLOSE ..\parent_dir\dir_name\file_name.swp FILE_SET_ACL ..\parent_dir\dir_name\file_name.swp FILE_CLOSE ..\parent_dir\dir_name\file_name.swp FILE_CREATE ..\parent_dir\dir_name\file_name.swp DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Delete a File | DIR_CLOSE ..\parent_dir\dir_name FILE_DELETE ..\parent_dir\dir_name\file_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Create a Folder | DIR_CLOSE ..\parent_dir\dir_name\new_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_CREATE ..\parent_dir\dir_name\new_dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name |
NFS (Turbo Audit): Delete a Folder | DIR_CLOSE ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_DELETE ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Rename a Folder | DIR_CLOSE ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_RENAME ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Modify ACL of a file | DIR_CLOSE ..\parent_dir\dir_name FILE_CLOSE ..\parent_dir\dir_name\file_name FILE_SET_ACL ..\parent_dir\dir_name\file_name FILE_CLOSE ..\parent_dir\dir_name\file_name DIR_OPEN ..\parent_dir\dir_name |
NFS (Turbo Audit): Modify ACL of a Directory | DIR_CLOSE ..\parent_dir\dir_name\current_dir_name DIR_CLOSE ..\parent_dir\dir_name DIR_SET_ACL ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name\current_dir_name DIR_OPEN ..\parent_dir\dir_name |
© Superna Inc