This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auditing Shadow Copy Activity - Creation not logged

Hello,


I use Change Auditor v6.9.2.


Regarding common attacks on Active Directory(AD), I would like to know when a Shadow Copy(SC) is created/deleted on my Domain Controller(DC).
A backup, exploiting SC, is realize every days on my DC so I can check results of my configuration every days.

 

Actually I use "Exclude Account" modules to Auditing my DC as you can see below :

I activated "Shadow Copy Created/Deleted/Rolled Back" in "Auditing/Audit Events" menu :

This configuration give me alerts on SC Deleted but never on SC Created.

I tried to add the File System auditing module but it didn't works better and SC Deleted events disappeared when File System module is activate.

 

Do you know how to properly auditing SC Activity ?
Did I miss an option or misunderstanding something about SC ?

 
Thanks for your help.

Parents
  • Hi Adrien,

    As mentioned it seems this is a known issue. I have included the defect details below.

    Defect ID 21826: File system auditing Shadow copy events missing or have wrong value recorded for Path

    There is no ETA available at the moment when this issue will be resolved. I would advise to open a Support case for further investigation if desired.

    Regards,
    Chris
Reply
  • Hi Adrien,

    As mentioned it seems this is a known issue. I have included the defect details below.

    Defect ID 21826: File system auditing Shadow copy events missing or have wrong value recorded for Path

    There is no ETA available at the moment when this issue will be resolved. I would advise to open a Support case for further investigation if desired.

    Regards,
    Chris
Children
No Data