Recording: File Tracking

File Tracking allows you to gather gather complete logs of file activity at locations where you store sensitive or confidential data.  Focus on select users for investigations or collect data on everyone who accesses the location. File Uploads, Downloads, and Printed are automatically captured without specifying a path. However, to capture Activity on a file (edits, renaming, etc.), you must specify the path to record.

You can view File Tracking activity in Data Explorer | Files and create Reports, Exports and Notifications from the File Tracking data.

NOTE: File names or paths matching configured Alert Words will trigger an Alert Word alert.

Configuring paths for File Tracking

By default, the agents will not monitor file events unless paths are explicitly entered in the recording policy settings. To configure File Activity tracking:

  1. Select Configuration Groups & Policies | Recording Policies and Add or Edit a policy.
    File Tracking Policy Settings Figure: File Tracking in Policy Settings
  2. Switch on File Tracking.
    Click  to open the right-panel settings.
  3. Type a path to monitor.
  • Use only folder level paths and not specific filenames.
  • Use either Windows or Mac-formatted paths.
  • The * wildcard is accepted in paths.
  • For a network drive, enter a UNC path.  For example to monitor a mpalmer's activity on a network drive, you would enter \\SERVERNAME\c$\USER\mpalmer.  
  • Paths are recursive and capture file events in all sub-directories.
  • Press Add to add the path.
  1. Check Ignore events.
    "Ignore events from system files" excludes tracking files commonly modified by applications, which don't represent the type of activity you are interested in.
  2. The policy captures ALL file events for the path you specify.
  • Actions (see below) on ALL files in the target folder are captured (except for ignored events).
  • There is no limit to the number of paths you can add.
  • The agent monitors file modification events but NOT folder modification events.

To edit a File Tracking folder

  1. Select the entry and press Delete Selected.
  2. Confirm the deletion.
  3. Enter the revised path and press Add.

To delete File Tracking Folders

  1. Select the entries to remove and press Delete Selected.
  2. Confirm the deletion. 

Specify a Mac file path

A wildcard is required to specify a path for recorded Mac devices.

Start with an asterisk (*) character. For example, to specify the Documents folder of the current user, enter */Documents.

*/Users/*/*/budget.*

*/Volumes/share/jsmith/Documents

*/Users/*/Documents

Activity captured

Track the following File events:

  • Created - A file was created on (or moved or copied to) a monitored path or drive.
  • Modified - A file was edited and saved, a new copy of the file was saved, or file properties were modified. The agent watches for a file timestamp update.  
  • Deleted - A file was deleted from a monitored path or drive.
  • Renamed - A file was renamed. The agent captures both the original File Name and the new File Name.

NOTE: Filenames matching configured alert words are detected as alert word "Alerts."

Figure: File Tracking Event - Changes were made to the file.

For each of the file events above, Interguard will capture the following data from the monitored user:

  • User Name and "Documents"
  • Timestamp - At the top of the event details: twhen event occurred
  • Device Name of the recorded device.
  • Action Type - (see above) Added (created), Deleted, Modified, Renamed, Renamed/Moved
  • Original Filename: Full folder/file name and directory of file. 
  • New Filename/Webmail Client: If renamed, moved or attached to webmail, the new folder/file name. 
  • Context: If Screenshots are available for the time period, they appear under"Context."
  • Comments: You can read, write comments, or set to investigate under "Comments."

Updated: 10/04/2023