Hello all. I’m new so apologize for any incovenience.
I’m looking for an idea to only report the movement from a particular network share to the endpoint, using EPP client.
I’ve tried with File Location Denylists but, as described on user manual, file transfers within this location are automatically blocked, regardless of the content inspection rules or permissions defined in various Policies. This behavior is aggressive in my scenario.
I’ve tried many regular expressions, but they match also strings (so paths) that will not be monitored. This is why I’ve selected “Network Share” as exit point on CAP. If I turn it off, I will have no logs.
Is it possible to define a “soft” denylist, in order to just monitor/report the access/modify/movement and not to block the whole access?
Hi Marcello, and welcome to the Netwrix Community!
All questions are welcome, so please feel free to ask them here. Your question is particularly insightful because it touches on a key aspect of network monitoring.
I would recommend using the File Tracing feature for network shares. Given your use case, this will address most aspects of it. Let me start with the highlights.
Since you want to monitor file actions like “access/modify/movement” this would be the way to go as it monitors events such as file read, write, rename, modify, and delete. You can even configure exclusions for certain file extensions that you might not be interested in, like .log files, for example.
Another advantage is that you can activate this feature for select machines, rather than globally. On the downside, you cannot specify which network share paths to monitor and which not to monitor. However, to make things easier, you can export these logs to a SIEM server and build a rule on the SIEM to only ingest or display logs that contain the paths you want to see.
If you want to have a look at file tracing, please navigate to “Device Control” then select the area you would lile to apply it to: Global settings or group setting or User/Computer settings, then scroll down to where it says “File Tracing and Shadowing”. Please be aware of the fact that turning on file tracing globally without and exlcusions or other considerations can make your logs grow really really fast, due to all the information that is being logged.
I would also like to add something to this discussion. When talking with potential customers, we often see requirements for handling specific locations within network shares differently.
For example, one customer works with AutoCAD files. Their shared folder structure is organized by project, like this:
In this scenario, the customer’s requirement is:
-AutoCAD files in Project_B should be blocked if a user tries to send them out,
-AutoCAD files in Project_A should be only reported when sent,
-Files from other folders should have no action applied.
We come across situations like this quite frequently in the field, so I just wanted to highlight it here as well.