I reviewed the 3 part series on monitoring for Crypto viruses and have setup my alerts for my file servers. I set the threashold for 50 files in 1 minute for any single user by setting:
Log - Security
Event Severity - Audit Success
Filter Settings - Include
Event Source - Microsoft-Windows-Security-Auditing
Event ID - 4663
Threshold - 25 in 1 minute
For Threshold Options I set to match events based on Insert String 1 so that I only get an alert when any 1 user writes 50 files. This works great except for one issue.
The issue I am seeing is that we have some report utilities that can export files to Excel and other formats. When they do this, they appear to write the Excel file block by block which can cause about 100 write actions for a single file and this ends up triggering the alert.
Is there an additional way I can filter the events so that I am only counting 50 unique files written in 1 minute? http://www.eventsentry.com/blog/2016/03/defeating-ransomware-with-eventsentry-auditing.html