Overview

This event monitor checks your network devices for shared folders. It has options to alert based on the number of readable and writable shares and can alert if it detects any changes to the list of shares. Shared folders can represent security risks especially if they have not been adequately secured with file system permissions. It's easy for end users or IT professionals to create shares to move data from one location to another and then forget to remove them. This event monitor provides a great way to detect both old shares and new ones that have been recently added.

Use Cases

• Finding folders that may have been inadvertently shared
• Finding folders with write permissions
• Ensuring that known shared folders are available

Monitoring Options

This event monitor provides the following options:

Alert with [Info/Warning/Error/Critical] if readable shares are found

This option tells the event monitor to check each network device for readable shares. A readable share is any shared folder that can be accessed and whose directory can be read.

Alert with [Info/Warning/Error/Critical] if writable shares are found

This option tells the event monitor to check each network device for writable shares. A writable share is any shared folder that the event monitor was able to connect to and write data to a test file. To perform this test the event monitor attempts to create and write to a file called "FrameFlowTestFile.txt". When the test is complete, the file is removed.

Alert with [Info/Warning/Error/Critical] if the list of shares has changed since the last check

With this option selected the event monitor will compare the list of shares it found with the list that was found on the last run. If it has changed in any way, it will alert with the selected event level.

Alert if more than a specified number of shares are found

Use this option to alert based on the total number of shares that were detected.

Ignore administrative shares (ipc$, c$, d$, etc)

Most Windows systems include administrative shares for each physical drive and some other network properties. By default, these are hidden and only accessible by administrators. Use this option to exclude them from the event monitor's checks.

Ignore hidden shares (any share ending with $)

Any share whose name ends in a dollar sign is hidden by Windows but still accessible to anyone who knows the share's name and has adequate permissions to access it. Use this option to tell the event monitor to ignore hidden shares.

Ignore the following shares [list of shares]

Enter a list of share names that the event monitor should ignore. To specify multiple share names, separate them with commas.

Authentication and Security

The account used for authentication must have permission to access the file shares.

Protocols

Data Points

This event monitor generates the following data points:

Data Point	Description
Share Count	The number of shares.

Sample Output

Tutorial

To view the tutorial for this event monitor, click here.