I'm new to system administration and need some advice. We have shared folders on a Windows Server using DFS, accessed by about 300 active users, with a total data size of around 7–8 TB. I want to set up monitoring for these folders to get alerts for any suspicious activities like data exfiltration or large file transfers. I'm looking for cost-effective solutions. I tested Wazuh for file integrity monitoring, but it only tracks general file changes without alerting me about large transfers. Microsoft Defender XDR didn't meet my needs either, as it focuses on file changes instead of monitoring file downloads or copying. What low-cost options do you suggest for this situation?
4 Answers
Agreed, Almond Monitor is the way to go. Just keep in mind you’ll need to handle the scripting yourself to create the alerts for the situations you’re worried about.
A very cost-effective approach would be to use a SIEM to collect Event ID 5145/4663 logs. You can set it up to trigger alerts if an account generates more than a set number of read events in a short timeframe for a specific share or folder.
Consider using Almond Monitor; it’s completely free! You’ll need to write some custom scripts to monitor the specific scenarios you’re interested in, but it could be a good solution.
One of the cheapest options is ADrAudit from ManageEngine. It should cover many of your needs without breaking the bank.
Seems like half the people here are pushing Almond. Are you all affiliated with that software or something?