Stealthbits ProTip: Filter out Event Noise with Stealthbits File Activity Monitor (SFAM)

Stealthbits File Activity Monitor

The Stealthbits File Activity Monitor has multiple configuration options to filter out noisy event operations from file servers. For example, Windows® native logs are typically big offenders when it comes to logging these noise events, creating more than 200 log entries when a user creates, reads, modifies, and then saves a file.

The sFAM utility filters those operations into a more human-readable, event audit trail for those file operations.

The sFAM utility also includes many scoping options to control total collected file operations. On the Log Files tab, ‘Suppress subsequent read operations’ will filter multiple read operations on the same files within the same folder, drastically reducing the number of events logged by users performing day-to-day tasks.

Other scoping options to filter out noise events included in the SFAM configuration UI are the ability to include or exclude specific shares, filter out file operations from specific Active Directory users, or even exclude entire processes from having their activity collected. This is hugely beneficial when file backup or archiving processes are running where a large amount of data from a single account, path, or process will be collected.

SFAM also has the ability to export these events to be consumed via SIEM solutions. These configuration options are available in the Syslog tab, which contains multiple templates, or you can configure your own macro strings to customize the output!

Stealthbits has also built several SIEM solution-specific applications that can be downloaded from the SIEM vendors application stores, such as Splunk’s “Splunkbase” or IBM’s “Security App Exchange”.

To learn more about Stealthbits File Activity Monitor, click here: https://www.stealthbits.com/products/stealthbits-file-activity-monitor

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*