Hi Kyriakos,
It seems that this feature is not available for OSSEC (you can check an older thread about it here). However, as mentioned in the thread, you can use Wazuh to achieve that goal:
**Phase 1: Completed pre-decoding.
full event: '2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an object was requested. Subject: Security ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: Subject1 Account Domain: DESKTOP Logon ID: 0xXXXXX Object: Object Server: Security Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID: 0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x100001 Privileges Used for Access Check: - Restricted SID Count: 0'
hostname: 'ip-10-0-0-10'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an object was requested. Subject: Security ID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX Account Name: Subject1 Account Domain: DESKTOP Logon ID: 0xXXXXX Object: Object Server: Security Object Type: File Object Name: C:\Users\Subject2\Documents\Private.txt Handle ID: 0xXXX Resource Attributes: - Process Information: Process ID: 0xXXX Process Name: C:\Windows\System32\notepad.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU) Access Mask: 0x100001 Privileges Used for Access Check: - Restricted SID Count: 0'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '4656'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'Desktop'
account_name: 'Subject1'
account_domain: 'DESKTOP'
logon_id: '0xXXXXX'
accesses: ' SYNCHRONIZE ReadData (or ListDirectory) Access Reasons: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU)'
target_file: 'C:\Users\Subject2\Documents\Private.txt'
**Phase 3: Completed filtering (rules).
Rule id: '200000'
Level: '5'
Description: 'Unauthorized object access by Subject1'
**Alert to be generated.
You can check this link for further information.
Hope this helps. Let me know if you need anything else.
Regards,
Yana.