2015-08-20 03:17 AM
Hi, I'd like to have some additional information about events I sometimes gather while auditing CIFS shares.
The first one is EventID 563, Object Open for Delete: NetApp Library (https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-1BC2FAB0-A641-4D16-A4A0-44871F560509.html) says this is a Logon/Logoff event, but I think this is not true.
Se second is EventID 567, Object Access Attempt. I've notice I gather this every 32KB of data readed, can anyone confirm this? Also, this events has more information than what expected from MS documentation: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&EvtID=567&Evtsrc=Security. Othen than the "standard" fields, I have also the file name and additional information about who did it. Where can I found more documentation about this? Are there any other "non standard" events?
2015-08-20 05:39 AM
The first Event (ID 563) happens when a file is opened with FILE_DELETE_ON_CLOSE which is usually used for temporary files. Netapp will automatically delete that file when the last open file handle to it has been closed. Note that you (or rather a program) can also use that flag to force deletion of a file that is currently in use by another program (it still needs the delete-permission to the file itself of course, you cannot delete random files that way )
2015-08-24 12:10 AM
First of all, thank you.
Actually, eventID 563 seems to happens even when deleting normal files, not just temporarly. I've installed a netapp simultator and created some shares, and when I try to delete something are always triggered:
Then, if I press "I'm sure to delete" in explorer.exe:
Can I safely assume there isn't a delete until I found the last event? Online documentation does not state anything about...
I'm looking for something that avoids me the need of empirically find out "real" action. But again, i found no clear documentation at all.