martes, 3 de abril de 2018

WINDOWS. GPO. Example Audit Files and folders


[ ] Create GPO: (gpmc.msc)


[ ] Assign GPO ot OU


[ ] Configure the diferents checks audits

Go to resource


[ ] To force check server: GPUPdate /force

[ ] To view audits events, in the Security tab



You can configure one task to send one email alert when success this events








The ID to monitoring:

Get-EventLog -LogName Security -InstanceId 4663 -Newest 1




The script:

$SmtpServer = "10.10.10.10"
$To = "Support@MYCOMPANY.ES"
$From = "NAS_Alert@MYCOMPANY.ES"

if (!(Get-EventLog -LogName Security -InstanceId 4663 -Newest 1 | Where {$_.message -like "*C:\*"}))
{
$Event = Get-EventLog -LogName Security -InstanceId 4663 -Newest 1 

# Store the newest log into email body 
$EmailBody= "** Script generado en FILE_SERVER01 cada vez que se accede a un recurso compartido **" + "`r`n`t" + "===================================================" + "`r`n`t" + "Fecha y Hora: " + $Event.TimeGenerated + "`r`n`t" + "===================================================" + "`r`n`t" + " Mensaje: " + "`r`n`t" + " " + "`r`n`t" + $Event.Message

# Email subject 
$EmailSubj= "MYCOMP NAS - FILE_SERVER01 - Access to Infrastructure Folder" 

# Create SMTP client 
$SMTPClient = New-Object Net.Mail.SMTPClient($SmtpServer)   
# $SMTPClient.EnableSSL = $true  

# Get the credetials 
# $SMTPClient.Credentials = New-Object System.Net.NetworkCredential($UserName, $PassWord);  

# Create mailmessage object  
$emailMessage = New-Object System.Net.Mail.MailMessage 
$emailMessage.From = "$From" 
Foreach($EmailTo in $To) 

$emailMessage.To.Add($EmailTo) 

$emailMessage.Subject = $EmailSubj 
$emailMessage.Body = $EmailBody 

# Send email 
$SMTPClient.Send($emailMessage)
}


The result


Check at Windows 2012R2 
by GoN | Published: Mach 23, 2018 | Last Updated: