How to Use Easy Auditor for Typical Audit Use Cases
This section walks through typical audit use cases and assists with suggested features to address the audit requirements.
- Urgent Request to re-act to a security event
- Application Performance Issue for NAS share or export
- Compliance Reporting
- User Behavior Audit
- Triggers for Network Aware Monitoring
- example 1
- example 2
- example 3
- example 4
Urgent Request to re-act to a security event
This type of request has urgency and can be a data leak, user termination or information delete request that needs answers fast. This requires instanst access to navigate the file system where activity needs to be reviewed in muliple folders since its not 100% clear what you are looking for. The new feature in Easy Auditor is targetted at this use case.
Options to audit this use case
- WireTap? - This feature allows browsing the file system and instantly see all file activity by user and path. This UI allows advanced filtering of specific events, IO by a single user or even a file name. This tool can assist with live security incident in the file system since this tool is viewing live audit data based on the filters configured. This speeds up the investigation work. It also avoids searching the database since all data is streamed to the GUI .
- Only possible with real-time event processing platform like Easy Auditor
User Reports of missing files in a share path
Options to audit this use case
- Where did my folder go? Browse to the path /ifs and search for all directory rename (move) or deletes with a single click. See if delete or rename events are the root cause of the issue. Simple copy to clipboard to sort in Excel if you get a lot of results. Purpose built index for this common every day issue.
- Scheduled Query: Create a search with advanced search tab and enter the cluster and path in the file system to monitor. Save the query and then use the schedule tab to run every hour to alert you on any deletes in that path
- Same as above but enter a file extension as well to narrow the delete query and schedule every hour
- WireTap: Create a wiretap session to monitor the path in real-time if the delete is a recurring issue on a path. The wiretap can monitor a path if it unknown who deleted the file(s). If its a specific user issue, wiretap the user to monitor user activity while they execute a sequence to reproduce the delete issue.
Application Performance Issue for NAS share or export
Users raise issue about performance of an application or data access. This can be caused by file locking or temp file creation on the NAS share versus local disk or poor application workflow accessing network shares/exports.
Options to audit this use case
- Wiretap: Create a wiretap session for the user or path with performance issue. Monitor while asking end users to re-attempt the application operations. Path based wiretap is best when multiple users raise performance issue on a share. Create use based wiretap when an application performance issue for single users.
Compliance Reporting
This report uses the logon and log off audits to report on user acccess to storage. It can also report on failed logon attempts. HIPAA, PCI and many other industry regulations require an inscope device must be able to report on user authenticated access attempts. This report will meet this requirement. It is also required to know who has access to data for tracability.
Options to audit this use case
- Builtin Reports
- Login Monitor report - shows which users logged in and logged off the array, including failed login attempts
- Stale access Report - shows which users accessed data they have permissions to see over a time period. Users that do not access data can be considered for removal. Security best practice states least access model should be followed.
- Access Report - Shows a list of users that can mount SMB shares. The user groups are expanded on the SMB level security to build a full uaer list that can access a share. Used to send to departements to verify data access privileges.
Excessive Permissions Analysis
The excessive permissions report assists with identifying users with access to data that is no longer being accessed. This report can help with compliance and securing access to data. The report analysis users that have accessed shares and resolves their share access from AD group membership and lists users with access to shares but no actual file activity within the report range.
This list of users are candidates to have group membership reduced to narrow access to data.
Options to audit this use case
- Builtin Excessive Permissions Report: Open the Report History to open the report.
User Behavior Audit
Random user audits or suspicious file access auditing is a common requirement in security departments. Easy Auditor provides several tools to perform proactive audits of file access.
Options to audit this use case
- Wiretap: Create a wiretap session with per user option. The session can be actively monitored or saved and run a report to build a report of all file access since the creation of the wiretap session.
- Search: Build a search based on user id and a date range , that will return all file access on all shares within the data range. In the preview screen of the search select run report.
Triggers for Network Aware Monitoring
- Active Auditing and triggers allow pre-built logic and custom rules to triger on any type of proactive monitoring needed to secure data.
- Data loss prevention trigger can monitor users doing a bulk copy of sensitive data. Recommened on a subset of your data example financial or other sensitive data. Configure the trigger to monitor the % of data on the path that is normal usage. example 5-10%. Experiment with a % to avoid false positive scenarios
- Mass Delete protection trigger - Use this pre built trigger to monitor paths for high rate deletes by users to get visibility to deletes and user behaviours. Monitor triggers to verify if users have odd work flows that are impacting the cluster with high rate deletes and copies.
- Custom triggers - This option is very powerful option to create rules with and or logic using audit data fields and thresholds and time windows.
example 1
- monitor a path of data based on the source ip subnet of hosts touching the data. Use this option when application servers on a subnet are the only authorized machines to access the data and indentify any user trying to access the data directly with subnet aware triggers
example 2
- identify banned file types with a simple extension based trigger example mp3 extension filter can locate users touching, creating, or accessing banned file types
example 3
- monitor a users behavior with a user based trigger based on deletes. If a user is suspected of deleting data in a group share, configure a user monitor trigger for deletes and get notifications any time the user deletes data
example 4
- Monitor all access to centralized storage from VPN or wifi using subnet aware policy to identify who and what is being access from external subnets.