FIM monitoring for file COPY & MOVE operations
342 views
Skip to first unread message
Hatim Eissa
Oct 10, 2023, 6:34:43 AM10/10/23
to Wazuh | Mailing List
Hello
Just enquiring if FIM module can monitor & alert for a certain file copy/move actions on top creation, modification, and deletion?
Thanks
Hatim Eissa
Oct 10, 2023, 6:44:57 AM10/10/23
to Wazuh | Mailing List
I don't understand what's so abusive in my question?!
ashraf abbas
Oct 10, 2023, 7:14:57 AM10/10/23
to Wazuh | Mailing List
Hello Hatim,
The File Integrity Monitoring (FIM) module in Wazuh primarily focuses on monitoring and alerting for changes related to file creation, modification, and deletion. However, it does not natively include features for monitoring and alerting specifically on file copy or move actions.
The FIM module in Wazuh tracks changes in file attributes such as permissions, ownership, and content. It can generate alerts for the following types of file events:
File Creation: Wazuh can generate alerts when a new file is created or an existing file is overwritten.
File Modification: Alerts are triggered when the content of a file is modified.
File Deletion: Alerts are generated when a file is deleted.
If you specifically need to monitor and alert on file copy or move actions, you may need to consider additional approaches or tools to achieve this, as Wazuh's FIM module is not designed for this purpose out of the box.
Here are some alternative options:
Use Windows Security Logs
Third-Party Tool
Custom Scripting
The File Integrity Monitoring (FIM) module in Wazuh primarily focuses on monitoring and alerting for changes related to file creation, modification, and deletion. However, it does not natively include features for monitoring and alerting specifically on file copy or move actions.
The FIM module in Wazuh tracks changes in file attributes such as permissions, ownership, and content. It can generate alerts for the following types of file events:
File Creation: Wazuh can generate alerts when a new file is created or an existing file is overwritten.
File Modification: Alerts are triggered when the content of a file is modified.
File Deletion: Alerts are generated when a file is deleted.
If you specifically need to monitor and alert on file copy or move actions, you may need to consider additional approaches or tools to achieve this, as Wazuh's FIM module is not designed for this purpose out of the box.
Here are some alternative options:
Use Windows Security Logs
Third-Party Tool
Custom Scripting
I hope this is helpful. you can reach out of you require more information.
Regards.
Ashraf Abbas
Hatim Eissa
Oct 10, 2023, 7:26:49 AM10/10/23
to Wazuh | Mailing List
Hello Ashraf
Thanks a lot for your reply.
For the alternative methods you mentioned. If I go with the approach of using a custom script that monitors those ops & then write alerts out in a file to be grabbed & ingested through Wazuh agent into manager, could you tell me the recommended log format to be used in order to be parsed correctly to the manager?
Thanks in advance
ashraf abbas
Oct 10, 2023, 8:06:19 AM10/10/23
to Wazuh | Mailing List
Hello Hatim,
Thank you for reaching out. you don't have to write alerts out in a script to be grabbed or ingested.
Thank you for reaching out. you don't have to write alerts out in a script to be grabbed or ingested.
I meant you can create custom scripts or use PowerShell to monitor file copy and move actions and then forward relevant events to Wazuh for further processing. This approach may require a deeper level of customization.
Regards.
Ashraf.
Jose Luis Carreras Marin
Oct 16, 2023, 7:36:17 AM10/16/23
to Wazuh | Mailing List
Hello Hatim
As Ashraf told you very well, FIM is not prepared to generate events for copied or moved files. You would only get the events related to the deletion or creation of those files. But not related to each other.
A good option would be to detect the Windows Security Logs, and use Wazuh's Logcollector module to process those logs and generate the desired alerts.
If you want to tell me more in depth about your environment and your goals and I will be happy to help you as much as possible.
Best regards,
Jose
As Ashraf told you very well, FIM is not prepared to generate events for copied or moved files. You would only get the events related to the deletion or creation of those files. But not related to each other.
A good option would be to detect the Windows Security Logs, and use Wazuh's Logcollector module to process those logs and generate the desired alerts.
Link to docu for Logcollector:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Link to Logcollector configuration:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Link to Logcollector configuration:
If you want to tell me more in depth about your environment and your goals and I will be happy to help you as much as possible.
Best regards,
Jose
Reply all
Reply to author
Forward
0 new messages