Under Review

Data Lake Query similar to Endpoint File Access History

Is there a query available for the data lake to query file information similar to the File Access History that endpoint queries use?

We would like to be able to query our data lake and find copied / modified / moved / deletions / re-naming & what it was re-named to. For a specific file path on our file server.

would also like to know one of these as it would help identify who made the changes, User / Device / or IP Address.

I have tried to use Files changed on Windows (Data Lake) query and had no success, only shows .exe or .dll information and its the entire data lake not device specific. Would like to see all file types.

If i could get some assistance with building the query or pointed in the right direction that would be greatly appreciated. 

Parents
  • Do you have FIM enabled on the server. the reports that creates might have some of what you need.  Here is a FAQ: support.sophos.com/.../KB-000038360 It may not be central now but you can run: wevtutil im "%ProgramFiles%\Sophos\File Integrity Monitoring\SophosFimEventProvider.man" to have it write to the event log, modifications to certain reg keys/files. Maybe these could be centrally stored? Sophos provides the FIM feed XML, which is the "default" monitored locations but you can set your own "include" paths to files/reg keys in the FIM policy in Central.
Comment
  • Do you have FIM enabled on the server. the reports that creates might have some of what you need.  Here is a FAQ: support.sophos.com/.../KB-000038360 It may not be central now but you can run: wevtutil im "%ProgramFiles%\Sophos\File Integrity Monitoring\SophosFimEventProvider.man" to have it write to the event log, modifications to certain reg keys/files. Maybe these could be centrally stored? Sophos provides the FIM feed XML, which is the "default" monitored locations but you can set your own "include" paths to files/reg keys in the FIM policy in Central.
Children