Objective  

This article explains how to create a custom report in ADAudit Plus to audit file and folder activities based on the specific process (for example, explorer.exe, powershell.exe) that performed the operation.

Prerequisites  

• You must have access to the ADAudit Plus web console with an administrator account or a technician account with permissions to create custom reports.

• File and folder auditing must be enabled on the target file servers, and ADAudit Plus must be configured to collect these events.

• Sufficient data retention must be configured in ADAudit Plus to ensure historical data is available for the desired reporting period.

Steps to follow  

1. Log in to the ADAudit Plus web console.
   
2. Navigate to the Analytics tab.

3. From the left pane, click Custom Report, then click Create Custom Report.

4. Enter a relevant Name and Description (for example, "File Activity by Process Name") and select the appropriate Domain.

5. Select the desired report type based on your requirements.
   

• Tabular View: Displays data in a simple table format .

• Graphical View: Presents data using various chart types for visual analysis.

• Summary View: Shows grouped data with subtotals for easier interpretation.

• Pivot View: Summarizes data in a grid format with both horizontal and vertical.

6. Under Select Report Category, choose File Activity.

7. Under Selected Sub Module(s), choose the specific activities you want to monitor (for example, Files Created, Files Modified, Files Deleted).

8. Click Next.

9. Choose the columns to be displayed. Ensure that Process Name is one of the selected columns.

10. If you want to include a chart in the custom report, expand the Charts section, then select the Graph Type, and specify how you want to group by X-axis.

11. Under the Filters section, click Add Filter.

12. Configure the filter to target the specific process. Set the filter to:

• Process Name | equals | [Type the exact process name, for example, powershell.exe].

13. Expand the Scheduler section and set the desired frequency for generating the report. If you'd like the custom report to be emailed each time the schedule runs, enable the Email this scheduled Report option.

14. You can also set the privacy of the custom report to define who can view it, choosing between public or private.

15. Finally, select the folder in ADAudit Plus where you want the report to be saved.

16. Click Save to create the custom report.

Validation and confirmation  

• After saving, the custom report will automatically run and display the results.
  
• Verify that the report only shows file activities that were performed by the process you specified in the filter.

• Confirm that the Process Name column is visible and contains the correct information for each event.
  

Tips  

• This report is highly effective for security investigations. For example, filtering for powershell.exe can help identify file modifications performed by scripts, which could be part of a ransomware attack.

• You can add a second filter for Computer Name to narrow down the report to activities on specific critical servers.

Related topics and articles  

• How to Configure a custom File Audit Report Excluding Specific User Accounts