FIM for Windows
86 views
Skip to first unread message
Sam Heuchert
Jun 10, 2022, 11:34:28 AM6/10/22
to Wazuh mailing list
Hi All!
I'm working on the configuration of the FIM module for Windows Workstations and Servers. I'm hoping to capture all user folders, so I'm specifying the C:\Users\*\Desktop and all other "default" folders. It's working well. I wanted to know if you had any best practices that I should be aware of to reduce strain on the endpoints? Should I use the "realtime" option? I'm leaning towards no on this one. I like the "report changes" option, but it looks like it only works on files like TXT and RTF files and it stores a copy of the file on the local machine to track changes, eating up space. Can the "report changes" option report changes to files like .docx, .xlsx, etc.? If so, how?
Second, I'm working to audit Windows file server shares with the FIM module. I've got my file shared, say, off of F:\RESOURCE with multiple root folders. I can't seem to get it to pick up any changes. Can you advise?
Thanks!
Aditya Sharma
Jun 12, 2022, 10:54:04 PM6/12/22
to Wazuh mailing list
Hi Sheuchert, Thanks for using Wazuh!
Glad to hear that it is working well for you. As you want to use "real-time" & "report-changes" options in your configurations in order to track them in a better way we recommend you to only monitor critical files which are not changing regularly and if it changes then you will get the alert and you can see through it who and what exactly changes into those files.
For your information please check out the below documentation also:
For Real-Time Monitoring: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-real-time-monitoring
For Report Changes: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-reporting-file-and-registry-value-changes
For FIM Capabilities check this out also: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
For Audit logs in Windows please check this out: https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-windows.html
I hope this helps you. Don't hesitate to ask your questions/concerns. We are very happy to help you.
Regards
Aditya Sharma
Glad to hear that it is working well for you. As you want to use "real-time" & "report-changes" options in your configurations in order to track them in a better way we recommend you to only monitor critical files which are not changing regularly and if it changes then you will get the alert and you can see through it who and what exactly changes into those files.
For your information please check out the below documentation also:
For Real-Time Monitoring: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-real-time-monitoring
For Report Changes: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-reporting-file-and-registry-value-changes
For FIM Capabilities check this out also: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
For Audit logs in Windows please check this out: https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-windows.html
I hope this helps you. Don't hesitate to ask your questions/concerns. We are very happy to help you.
Regards
Aditya Sharma
Sam Heuchert
Jun 13, 2022, 11:39:20 AM6/13/22
to Wazuh mailing list
Thank you, Aditya! Super helpful.
I do need some clarification on the file shares (and external drives) though - is it possible to monitor a location like D:\ or E:\ or F:\? I can't seem to get it to work.
Thanks!
Aditya Sharma
Jun 14, 2022, 1:59:27 AM6/14/22
to Wazuh mailing list
Hi sheuchert, Glad to know that it helped you!
Yes, you can monitor them but bear in mind if they are not critical files for you then it will give you lots of alerts and impact your disk usage also. You can see it below:
For Syscheck things and all you can check out here: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-syscheck-basic-usage
I hope this helps you. Don't hesitate to ask your questions/concerns.
Regards
Yes, you can monitor them but bear in mind if they are not critical files for you then it will give you lots of alerts and impact your disk usage also. You can see it below:
For Syscheck things and all you can check out here: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-syscheck-basic-usage
I hope this helps you. Don't hesitate to ask your questions/concerns.
Reply all
Reply to author
Forward
0 new messages