Forum Discussion

alex987's avatar
alex987
Level 2
12 years ago

Listing contents of folder counts as READ for all files

When user lists contens of some folder, Data Insight generates READ event for all files in that folder. Is it normal? Maybe there is any way to fix it? Because it's not very informative, for example, if we have data owner policy whoch counts read+write events, and some user frequently opens shared folder, he becomes Inferred owner of all files in that folder, not only those he uses.

  • Alex -

    When capturing events and reporting on READ the behavior is normal if the Windows Explorer does a preview like thumbnails in the GUI. As example if the Windows Explorer in the GUI form is opened on a folder then the contents of the folder are all read to populate the GUI with the thumbnail, file name, and date information. This is due to the Operating System and is only captured by the application.

    If the Administrator only requires the events related to certain types of audit trails be available during the policy it could be create, modify or write to avoid the read.

     

    The Workspace Data Owner Policy may also be configured to use a count that is dependent on READ with either  which can affect the effective owner if there is an application like backup that runs on the storage against the file system hosting the share being monitored. By default, Data Insight infers owners of files or folders based on the access history. The most active user of a file is considered to be the data owner for the purpose of efficient remediation and data management.

    You have not identified the device you are monitoring but he likelihood that it is a Windows NAS device or a CIFS share on NetApp or Celerra which are affected by the Windows Operating System behavior leave you with a few other choices. You can define a global policy to infer the owners of files or folders based on one of the following criteria:

    • The number of read events on the file or folder.

    • The number of write events on the file or folder.

    • The cumulative count of read and write events on the file or folder

    • The creator of the file or folder.

    • The user account which last accessed the file or folder.

    • The user account which last modified the file or folder.

    Let me know if that helps you see why this is happening to your audit events.

    Rod

  • Alex987,

     

    Did you get a response on your question? I am curious about the issue too as many users open folders. When they do getting a "read"event for all the files and data in folder contained isn't helpful at all.

     

     

  • Hi @Alex987 and @ndaniel71,

    I noticed you both have this question, and am escalating to our Support team to see if they have any insights that they can share.

     

  • Alex -

    When capturing events and reporting on READ the behavior is normal if the Windows Explorer does a preview like thumbnails in the GUI. As example if the Windows Explorer in the GUI form is opened on a folder then the contents of the folder are all read to populate the GUI with the thumbnail, file name, and date information. This is due to the Operating System and is only captured by the application.

    If the Administrator only requires the events related to certain types of audit trails be available during the policy it could be create, modify or write to avoid the read.

     

    The Workspace Data Owner Policy may also be configured to use a count that is dependent on READ with either  which can affect the effective owner if there is an application like backup that runs on the storage against the file system hosting the share being monitored. By default, Data Insight infers owners of files or folders based on the access history. The most active user of a file is considered to be the data owner for the purpose of efficient remediation and data management.

    You have not identified the device you are monitoring but he likelihood that it is a Windows NAS device or a CIFS share on NetApp or Celerra which are affected by the Windows Operating System behavior leave you with a few other choices. You can define a global policy to infer the owners of files or folders based on one of the following criteria:

    • The number of read events on the file or folder.

    • The number of write events on the file or folder.

    • The cumulative count of read and write events on the file or folder

    • The creator of the file or folder.

    • The user account which last accessed the file or folder.

    • The user account which last modified the file or folder.

    Let me know if that helps you see why this is happening to your audit events.

    Rod