4 replies to this topic

[williamcheang]

Hi All,

Customer is asking the question, where files/fodlers changes(permission changed, file or folder added/removed)

that triggered by Powershell script or batch script, can this be capture by Netwrix Auditor ?

 

regards,

William

[jeffb]

Hello William,

 

Any change which results in a different file and attributes will be captured.  Details will also be captured for any change which results in windows audit logs being created as a result of auditing being configured.

 

-Jeff

[williamcheang]

Hi Jeff,

Let said, we have a windows batch script that called "c:\temp\update_file_perm.bat" and  this window batch script changes file permission on a shared folder. Someone executed this batch script and file permission been changed, 

 

Q1. Can Netwrix detect the person who executed this batch script ?

 

Q2. When files been changed by script(Netwrix pickup these file changes) , based on the file changes record/event,

can we trace back to the script that executed this change ?

 

Q3. With normal file permission changes, we can see "Who", "What", "Where" & Details.

Will the Details column will it show file changes is been make by which script ?

 

 

regards,

William

[jeffb]

William,

 

To find out who would show up as having made the change please reproduce the scenario and check the windows security event logs.  It would likely be the account which was used to run the script unless the script specifies an account to use.

 

-Jeff

[williamcheang]

Hi Jeff,

Based on my recent testing using batch script & powershell script, when we trigger "mkdir" in command prompt & powershell prompt, Netwirx able to show new folder is added but who=system.  Support told me that Microsoft did not generate any security event for "mkdir" action, so Netwrix not able to who make the change.

 

So not all the command/action happen in command prompt or powershell, can generate event.

 

regards,

William