Request for Guidance on Monitoring the Creation, Deletion, and Download of Files on Windows 11 Workstations

[Márcio Cordeiro]

Could you please advise me on the best way to implement monitoring on workstations (all running Windows 11)? My goal is to obtain detailed logs of the following actions performed by users: File creation File deletion File downloads The intention is to have adequate control over these activities for auditing and information security purposes. Thank you in advance for your support.

[Márcio Cordeiro]

[Olamilekan Abdullateef Ajani]

Hello Marciocordeiro,

From an auditing perspective and your use case (file creation, deletion, and downloads), the most practical approach is to combine File Integrity Monitoring (FIM). The FIM gives you the visibility you need when critical files are tampered with by providing who, when, and how on a change when detected. You can check out the screenshot for a sample of the type of visibility you would get.

An example for download file configuration that you can apply to the agent ossec.conf file is: 

<syscheck>
   <directories whodata="yes">C:\Users\user-here\Downloads</directories>
</syscheck>

And if you intend to capture all users' account activity on a device, you can use the wildcard option like this:  <directories whodata="yes">C:\Users\*\Downloads</directories>

Lastly, you also need to be watchful of noisy paths to avoid administrative overhead when correlating/reconciling events, this is to ensure you only monitor what is needed. The ignore option can also be seen here if needed.

You can find references and more configurable options in the documentation below:

https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html