SIEM

File Access Use Cases

Grouped by Detection Method

Match Alert

• NTDS.dit

Aggregate Count

• Access of .ost, .pst files (Outlook Email Archives)

Blacklist Alert

• A business confidential file is accessed

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

• Windows Security Event ID 4656: A handle to an object was requested
• Host-Based IPS Signatures
• Cloud Bucket Logs

Possible False Positives

This site is open source. Improve this page.