Synology logs SMB "Read" event false positives
We recently switched to a Synology enterprise setup at work and we're hoping to benefit from the additional logging that comes with Synology software. In response to a security incident, I found log entries that suggested a user accessed a file over SMB they may not have accessed.
To prove the theory, I mounted a SMB share, and navigated to a directory. From both Windows and Mac, I found that Synology generated "Read" events for files in the directory (image files, csv files, pdf files, etc) even though none of the files were read.
The problem with that is a user could easily be accused of accessing files they didn't access. Simply navigating to a directory could result in a user "Read" event log. On the surface it may seem like the solution is simple: never restrict access by files, always restrict by directory. But my concern is more about not being able to trust the logs and not knowing what options exist where a user can connect to an SMB share and the security team have reliable event logs.
How do you deal with this type of problem when doing security audits?
Your file manager probably reads the files to find metadata - such as Office document tags, EXIF thumbnails and so forth. You have no way of differentiating such automated reads from a user opening the file on this level.
To me it sounds like a X-Y problem. What do you want to achieve? An audit trail whenever a user opens a file?