Windows File access monitoring using windows audit

223 views
Skip to first unread message

Black Fish

unread,
May 21, 2021, 3:54:39 PM5/21/21
to Wazuh mailing list
Hi all,


I tried from below mentioned links to monitor file access to a particular folder but not worked, please if someone can provide me a working solution. 





Thanks

Imran Q.

Daniel Folch

unread,
May 24, 2021, 6:40:59 AM5/24/21
to Wazuh mailing list

Hello Imran,

The first link you shared is really old, in recent Wazuh versions you can use the syscheck module to perform FIM in Windows, I recommend you check our documentation.I have tested the guide provided on the second blog and it works fine, first configures the windows audit group policy:

Captura de pantalla de 2021-05-24 11-59-52.png

Then configure the audit settings for the folder you want to monitor:

Captura de pantalla de 2021-05-24 12-02-29.png


Captura de pantalla de 2021-05-24 12-03-31.png

Captura de pantalla de 2021-05-24 12-03-52.png

After this remove the exception for EventID 4663 from the agent configuration EventID != 4663 the localfile section should look like this after the change:

 <localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]
 </query>
</localfile>

After this change restart the agent.

Finally, add the rules indicated in the blogpost to the manager /var/ossec/etc/rules/local_rules.xml:

<var name="CriticalFolders">C:\\\\Critical_Folder|C:\\\\Critical_Folder2</var><group name="windows, windows_security,">
  <rule id="100111" level="0">
     <if_sid>60103</if_sid>
     <field name="win.system.eventID">^4663$</field>
     <field name="win.eventdata.objectName">$CriticalFolders</field>
     <description>Object access information into critical folders</description>    
     <options>no_full_log</options>
  </rule>  <rule id="100112" level="10">
     <if_sid>100111</if_sid>
     <time>5pm - 8am</time>
     <description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder out of office hours.</description>   
     <options>no_full_log</options>
  </rule>
</group>

Note that you will need to replace C:\\\\Critical_Folder|C:\\\\Critical_Folder2 in the CriticalFolders variable with the paths to the folders you want to monitor. Also, this set of rules will only generate an alert if the folder is accessed between 5 PM and 8 AM if you want to generate an alert every time someone accesses the folder use this instead:

<var name="CriticalFolders">C:\\\\Critical_Folder|C:\\\\Critical_Folder2</var><group name="windows, windows_security,">
  <rule id="100111" level="10">
     <if_sid>60103</if_sid>
     <field name="win.system.eventID">^4663$</field>
     <field name="win.eventdata.objectName">$CriticalFolders</field>
     <description>Object access information into critical folders</description>    
     <options>no_full_log</options>
  </rule>

Regards,
Daniel Folch

Reply all
Reply to author
Forward
0 new messages