What is a one sentence summary of your feature request?
Adding a wildcard symbol in the filters for the Netwrix Auditor alerts
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Dear Netwrix’s employees,
Following a discussion with one of your colleague from the Support Team, I decided to open this new idea proposal because we never succeeded to follow our needs with the current features of the product.
During the investigation with the support, we finally concluded that there is a lack of a very small feature that doesn’t allow us to follow the current needs.
To summarize, we want to define some email alerts when a user which is not included to a user group realize at least one access (failed or succeeded) on the files located in a specific folder from a monitored file server.
However, once the alert was configured, we received many false positives provoked by the global searches executed at the root path of the File Server with the File Explorer Windows application.
The first cause is that the WinEventLogs on which the Netwrix Auditor product is based on don’t give any detail about the location of the file explorer search (there is just accesses which are logged with the absolute path of the target only).
Nevertheless, I arrived to the conclusion that if we could use a wildcard in the what filter of the alert, for instance the asterisk symbol, and that this wildcard respects the regex provided below, then the need could be more suited by adding a simple wildcard after the root monitored folder.
REGEX: [^\n\s\t]+
Finally, my proposition doesn’t allow us to remove the false positive linked to users outside of the user group but which have the necessary rights to go into this folder from the file share anyway.
Best regards.
Maxime RACOILLET
Security Consultant for IMRIM
How do you currently solve the challenges you have by not having this feature?
For the moment, we can’t solve the change to follow the needs as much precisely as possible.
We will try to work with the threshold of the alerts, but this won’t be the real customer needs.