File Monitoring

This MOF File Monitors File Created on Drive E: (Change it to any Drive You Want)

and Send an E-Mail Message To The SecurityTeam@Domain.Com wiht the File Information.


Download The Script 

 


// 1. Change the context to Root\Subscription namespace

//    All standard consumer classes are

//    registered there.


#pragma namespace("\\\\.\\root\\subscription")



// 2. Create an instance of __EventFilter class

//    and use it's Query property to store

//    your WQL event query.


instance of __EventFilter as $EventFilter

{

    Name  = "File Copy Filter";

    EventNamespace = "Root\\Cimv2";

    Query = "SELECT * From __InstanceCreationEvent WITHIN 5 Where "

            "TargetInstance ISA \"CIM_DATAFile\" And TargetInstnace.Drive=\"E:\" ";

    QueryLanguage = "WQL";

};



// 3. Create an instance of __EventConsumer

//    derived class. (ActiveScriptEventConsumer

//    SMTPEventConsumer etc...) 


instance of SMTPEventConsumer as $Consumer

{

    Name = "File Copy SMTP Consumer";

    FromLine = "Administrator@Domain.Com";

    Message = "A File Named %TargetInstnace.FileName% Was Copied to Drive %TargetInstance.Drive%\n"

              "Probably a USB Device";

    SMTPServer = "SMTPSRV.Domain.Com";

    Subject = "File Copy to USB on Computer %TargetInstance.CSName%";

    ToLine = "SecurityTeam@Domain.Com";

};



// 4. Join the two instances by creating

//    an instance of __FilterToConsumerBinding

//    class.


instance of __FilterToConsumerBinding

{

    Filter = $EventFilter;

    Consumer   = $Consumer;

};  

Comments