Set Detection Policy to monitor for folder permission changes
Last Updated August 09, 2017
Security practices dictate that folders need to be monitored for permission changes.
Follow the steps below to setup a custom rule to monitor for these changes.
First, a custom rule needs to be created in the Detection policy that will be used.
In the My Custom Rules section click the green plus sign to add a new rule. Name your rule and select the Category as File Watch.
Input the identifier for the rule. This can be the same as the rule name. NOTE: This section does not allow for spaces. This is so later you can search for the identifier to find events associated with the rule.
Click finish to create the rule. Once the rule is listed under My Custom Rules, click the blue Edit text to configure the rule.
Check the the box next to File Watch Rule Options to activate the rule and click Edit to expand the rule options.
In the options, enter a Rule Name. This will make the rule searchable in your policy.
Enter the Rule Severity. This is dependent on how severely the events will be handled. Options are Info, Warning, or Critical.
In Search depth, manually enter a zero (0). The drop down menu starts at one (1). Entering a zero (0) will only watch the folder that is set to be watched. Polling interval does not need to be edited.
Once everything is configured in the File Watch Rule Options, click Edit to collapse the section.
Check the boxes as shown in the image below to activate the monitors.
Now all that needs to be configured is the paths to the folders that need to be monitored. Click Edit next to Files to watch to expand the section. Click Add and enter the exact path to the folder that needs to be monitored and click ok. You can add multiple folders that need to be watched.
Once all the folders are added, click apply and save the changes to the policy.
Events that are created by this rule will show (Access Control List Changed) in the event details. Example below.
This type of rule will only monitor the folders, but not the contents. If there is a need to monitor the contents of the folders, the Search Depth in the File Watch Rule Options can be changed to check further into the folder. Please make sure to check the Administrator Guide for Real Time File Monitoring limits and recommendations.