File Monitoring

This MOF File Monitors File Created on Drive E: (Change it to any Drive You Want)

and Send an E-Mail Message To The SecurityTeam@Domain.Com wiht the File Information.

Download The Script 


// 1. Change the context to Root\Subscription namespace

//    All standard consumer classes are

//    registered there.

#pragma namespace("\\\\.\\root\\subscription")

// 2. Create an instance of __EventFilter class

//    and use it's Query property to store

//    your WQL event query.

instance of __EventFilter as $EventFilter


    Name  = "File Copy Filter";

    EventNamespace = "Root\\Cimv2";

    Query = "SELECT * From __InstanceCreationEvent WITHIN 5 Where "

            "TargetInstance ISA \"CIM_DATAFile\" And TargetInstnace.Drive=\"E:\" ";

    QueryLanguage = "WQL";


// 3. Create an instance of __EventConsumer

//    derived class. (ActiveScriptEventConsumer

//    SMTPEventConsumer etc...) 

instance of SMTPEventConsumer as $Consumer


    Name = "File Copy SMTP Consumer";

    FromLine = "Administrator@Domain.Com";

    Message = "A File Named %TargetInstnace.FileName% Was Copied to Drive %TargetInstance.Drive%\n"

              "Probably a USB Device";

    SMTPServer = "SMTPSRV.Domain.Com";

    Subject = "File Copy to USB on Computer %TargetInstance.CSName%";

    ToLine = "SecurityTeam@Domain.Com";


// 4. Join the two instances by creating

//    an instance of __FilterToConsumerBinding

//    class.

instance of __FilterToConsumerBinding


    Filter = $EventFilter;

    Consumer   = $Consumer;