File Access Use Cases

Grouped by Detection Method

Match Alert

NTDS.dit

Aggregate Count

Access of .ost, .pst files (Outlook Email Archives)

Blacklist Alert

A business confidential file is accessed

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

Windows Security Event ID 4656: A handle to an object was requested
Host-Based IPS Signatures
Cloud Bucket Logs

Possible False Positives