Skip to main content
NetApp Knowledge Base

FAQ: Storage Workload Security Forensics Activity

  1. Last updated
    Aug 30, 2024
  2. Save as PDF
Views:
310
Visibility:
Public
Votes:
0
Category:
data-infrastructure-insights
Specialty:
oci
Last Updated:
8/30/2024, 3:46:55 PM

Applies to

Cloud Insight (CI)

Storage Workload Security (SWS)

Answer

Question Answer
Do we have SWS Forensics activity (user activity / audit trail) available if Fpolicy agent server is down/disconnect/disable? No
Do we have SWS Forensics activity (user activity / audit trail) available in Fpolicy agent server logs? No, Forensics acitivity will only be pulled from Tenant Forensics acitivity page and it is fetching the information directly from backend database.
Can SWS Forensics activity (user activity / audit trail) be filtered and pulled into CSV file? Yes, you can filter for "31 days" of actitivity at a time using "custom" filter.
What information SWS Forensics activity will audit? Only CIFS(SMB) / NFS operations if they are both enable on SWS data collector.
Define CIFS operation? Customer working of a CIFS share and read/write/delete the file or folder.
If the file and folder get deleted using system manager > volume > file system > explorer page > API, can SWS Forensics activity will show the "delete" operation? No, SWS will not audit API operations, You will how ever find the "delete" operation in ONTAP cluster logs
If the file and folder get deleted using PowerShell CLI on CIFS/SMB share, can SWS Forensics activity will show the "delete" operation? Yes, SWS will show the "delete" operation
If the file and folder get deleted using PowerShell API on CIFS/SMB share, can SWS Forensics activity will show the "delete" operation? No, SWS will not audit API operations, You will how ever find the "delete" operation in ONTAP cluster logs
If the file and folder get deleted using cluster CLI [system shell], can SWS Forensics activity will show the "delete" operation? No
If the file and folder get deleted using cluster CLI [Node shell], can SWS Forensics activity will show the "delete" operation? No
How to prevent users from deleting file and directories in ONTAP System Manager? How to prevent users from deleting file and directories in ONTAP System Manager using RBAC for FSA
Do we need Cifs Auditing, How to enable it?

Cifs auditing can be enabled in parallel to SWS

Is it recommended to set audit policy through SLAG

How to set up CIFS auditing in ONTAP 9
SWS Forensic User Overview Forensic User Overview
SWS Forensics - All Activity Forensics - All Activity
SWS Forensic User Activity Data Forensic User Activity Data
SWS Forensic Entities Page Forensic Entities Page

Collect packet traces from Fpolicy Agent and ONTAP Simultaneously

NOTE: If you see the issue is occurring, especially at that time collect the packet traces from both ends. It will help troubleshoot the issue tremendously.

 ONTAP: How to use debug network tcpdump in ONTAP 9.10+
FPolicy Agent: How to capture client side packet trace from Red Hat Linux

 

Additional Information

N/A

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.