We have network based user shares. We have file sight monitoring the base user share folder. We have File Sight configured to monitor the base share and it looks for 200 reads in less than 1 minute. We are getting alerts such as the example below (the IP info and such is not real, just a sample of the alert) Exceeded threshold: SAMPLEDOMAINNAME\\​BENDA read 1447 files under E:\\​USERS$\\​ in 0m 50s from 129.168.5.5. The alert threshold is 200 files in 1m 0s. Read files include: E:\\​USERS$\\​BENDA\\​Old Desktop Computer Backup\\​Downloads\\​SWOT ANALYSIS (1).xls ------------ So why would a user be able to read so many files on their "U" drive in under a minute? My first guess is they were doing a search for something inside their folder. My real question here: We want to be able to identify possible crypto type of file read/rename/deletions. But if a folder search/index would trigger the alert, what other method or configuration should we be using? Thank you!

We have network based user shares. We have file sight monitoring the base user share folder. We have File Sight configured to monitor the base share and it looks for 200 reads in less than 1 minute. We are getting alerts such as the example below (the IP info and such is not real, just a sample of the alert) Exceeded threshold: SAMPLEDOMAINNAME\\​BENDA read 1447 files under E:\\​USERS$\\​ in 0m 50s from 129.168.5.5. The alert threshold is 200 files in 1m 0s. Read files include: E:\\​USERS$\\​BENDA\\​Old Desktop Computer Backup\\​Downloads\\​SWOT ANALYSIS (1).xls ------------ So why would a user be able to read so many files on their "U" drive in under a minute? My first guess is they were doing a search for something inside their folder. My real question here: We want to be able to identify possible crypto type of file read/rename/deletions. But if a folder search/index would trigger the alert, what other method or configuration should we be using? Thank you!