RackTop Systems
Practitioner Guide

File activity telemetry: what your SOC actually needs from storage

Most NAS audit feeds were designed for compliance checkboxes, not threat detection. Here is what detection-grade file activity telemetry looks like, how to wire it into SIEM and SOAR workflows without drowning the license, and the two tests that prove the integration is real.

RackTop SystemsJune 30, 20265 min read

Key takeaways

  • Detection-grade telemetry is per-operation and carries identity, host, path, and rate context.
  • Capture must be complete and tamper-evident, or the investigation dies with the log.
  • Send the SIEM verdicts and evidence, not raw operations — keep the full record queryable at the source.
  • The storage should act on its own detections; the SOC needs the alert, the file list, and the outcome.

Ask a SOC analyst what they get from the file infrastructure today and the answer is usually a native NAS audit feed: lossy, inconsistently formatted, missing context, and expensive to ingest. It exists because an auditor once required it, not because anyone expected to detect anything with it. That gap matters more every year, because the incidents that hurt — ransomware runs, insider data theft, staged exfiltration — are sequences of file operations, and file operations are precisely what the rest of the security stack cannot see. Making file activity useful to the SOC means fixing two things: the signal itself, and the plumbing that carries it.

The five questions every operation must answer

Detection-grade telemetry answers five questions for every read, write, delete, and permission change. Who: the authenticated identity, resolved to a real user or service account, not just a source IP. What: the operation type and the full file path, not a truncated or hashed stand-in. When: a trustworthy timestamp. From where: the client host and the protocol — SMB, NFS, S3, or Web Drive. And how much: the rate and volume of the activity, in the context of that identity’s normal baseline.

The fifth question is the one native audit logs never answer, and it is the one detection actually runs on. Ten file reads is nothing for an engineer and everything for a service account that has never read a document in its life. Without per-identity baselines, downstream analytics are reduced to crude thresholds that either fire constantly or never — which is how most SIEM file-monitoring rules end up disabled within a quarter.

Capture requirements: complete and tamper-evident

Two properties separate evidence from noise. First, completeness. Sampled, buffered, or best-effort feeds are fine for capacity planning and useless for investigation — if the record has gaps, the attacker’s activity will be in the gaps, and counsel will have to assume worst-case scope. Every operation, every protocol, no sampling.

Second, tamper evidence. The audit trail must survive the compromise it is documenting. If an administrator can edit or purge the record, then any attacker holding admin credentials can erase the investigation on the way out — and post-incident, you cannot prove they did not. Immutability here is not a compliance nicety; it is what makes the record admissible as the ground truth for disclosure decisions, insurance claims, and legal review.

The plumbing: what to send where

Shipping every raw file operation to the SIEM is a licensing bill, not a detection strategy. A moderately busy NAS generates orders of magnitude more events per day than most SIEM budgets can absorb, which is why raw-feed integrations quietly get filtered down until they carry nothing of value.

The workable pattern is tiered. The storage platform runs behavioral detection locally, where the full-fidelity stream is free, and enforces the response itself — terminating the malicious session and isolating the account in seconds rather than waiting on an external pipeline. The SOC receives the incident through SIEM or SOAR integration: the verdict, the identity, the host, the affected file list, and the action already taken. And the complete per-operation record stays queryable at the source, so investigators can pull exactly the slice they need instead of paying to warehouse all of it. The analyst gets an actionable alert with evidence attached instead of a haystack, and containment has already happened by the time the ticket opens.

What this looks like in an investigation

Walk the workflow after an alert. Detection fires on anomalous bulk reads from a contractor account at 02:14; the session is terminated automatically and pre-incident snapshots are placed on hold. The analyst opens the incident with the affected file list already attached, pivots into the source-side record to see everything that identity touched over the preceding 30 days, and establishes scope in minutes: which directories, which programs, how far outside the account’s baseline. Legal gets a bounded list of exactly what was read before the stop, not a shrug and a share name. That is the difference telemetry design makes — the same incident with a lossy native feed ends in worst-case assumptions and a maximum-scope disclosure.

Two tests that prove the integration is real

First, the tabletop test: pick an account and a two-week window, and ask the SOC to produce the exact list of files that account touched — with timestamps, hosts, and operations. Time how long it takes. If the answer is measured in days or requires the storage team, the telemetry is not investigation-ready.

Second, the 2 a.m. test: when file-level detection fires overnight, did anything actually stop? If the workflow is alert, queue, morning triage, then the telemetry is a historical record of damage, not a control. Storage that can see, decide, and act on its own operations — then hand the SOC the evidence — is what turns file activity from an ingest problem into a defense.

See data-layer defense in action

A 30-minute demo shows Active Defense stopping an attack inline, immutable recovery, and surgical rollback — mapped to your environment.

File Activity Monitoring for the SOC: NAS Telemetry Guide | RackTop Systems