2011-08-01 11:57 AM
I am writing to inquire if anyone has experience with sending audit-file information to a Security Incident and Event Manager (SIEM) like ArcSight.
I am particularly interested in MS file access logs.
2012-01-30 08:33 AM
We finally went with LogRythm for event log and cifs log reporting. Does this nicely without an agent, etc.
However, nothing I can find can do Real Time File Intergrity Monitoring (FIM) without doing away with NetApp CIFS and migrating the file shares from the NetApp to a Windows front-end Server.
Here is some info on File Integrity Monitoring (FIM):
1. Alerts on any file or folder additions, deletions, modifications, or reads.
2. Can alert on a variety of malicious behaviors, from improper user access of confidential files to botnet related breaches and transmittal of sensitive data.
3. Meets PCI DSS compliance for sections 11.5* and 12.9 – specifically addresses 35 specific mandates of PCI DSS 1.2.
4. Provides a complete set of forensic data for rapidly identifying the root cause of security breaches.
*11.5 mandates that we deploy file integrity monitoring to alert personnel to unauthorized modifications of critical system or content files, and perform file comparisons at least weekly or more frequently.
My two cents.