Greetings Extrahop Forum users, my name is Matt and I'm hoping you can assist me.
I have begun writing a trigger to capture file and folder access 'by user' in a CIFS environment.
The idea being I can create a white and black list of users that can trigger an alarm based on their access level.
The issue I have is that once a user is authenticated their username then displays as \Pre-Login. (I know you are all quite well aware of this fact)
My question is this.
Is there any way to tie a user back via a CIFS session I.D. or some such to then translate \Pre-Login back to the correct user.
If not I cannot see how I can make Extrahop monitor file and folder usage using a white / black list methodology.
Any and all suggestions are welcome.