Monitor renamed fils on windows
26 views
Skip to first unread message
bilal
Sep 4, 2025, 9:58:13 AM (4 days ago) Sep 4
to Wazuh | Mailing List
Hello Wazuh Community.
I'm looking for a way to monitor file rename events on Windows using Wazuh.
Is there a recommended method or configuration for detecting when files are renamed?
Any help or guidance would be appreciated. Thanks!
Olamilekan Abdullateef Ajani
Sep 4, 2025, 11:07:00 AM (4 days ago) Sep 4
to Wazuh | Mailing List
Hello Bilal,
This is possible with the use of wazuh FIM with the aid of syscheck.
When you have a syscheck configuration like this <directories realtime="yes">C:\Users\vagrant\Downloads</directories> associated to the agent ossec configuration file. It means the files in downloads directory will be monitored.
The way FIM works, when you rename a file, the hash of that file goes off and a new one is generated and associated with the new name. So it sees the initial name change as deleted and the new name as file added with a new hash generated.
Please see attached for a an example.
Ref:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-to-configure-fim.html
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-to-configure-fim.html
Reply all
Reply to author
Forward
0 new messages