Wazuh can help you monitor folder access in Windows systems by collecting logs from the
Audit object access group policy.
Monitor folder access: Windows configuration
Open your Windows
Local group policy editor and navigate to
Audit policy. There are different audit policies for you to enable; the one you are looking for is
Audit object access:
Now you need to add it to each folder for which you want to be notified. To do so, open the folder properties and go to
Security > Advanced:
Click on the
Auditing tab and add the rule to monitor user actions:
At this point, whenever a user accesses the folder, Windows will log it under the event ID 4663 :
By default, the event ID 4663 is configured not to be collected. You need to edit the
Security eventchannel localfile in your
C:\Program Files (x86)\ossec-agent\ossec.conf file.
After removing the negation of this EventID value, your localfile should look like the following:
<localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157]</query> </localfile>
Note: You can also use centralized configuration to apply this change to a group of agents. You can find more information here.
Monitor folder access: Wazuh Manager
The last part involves adding rules for the EventID to our
CriticalFolders and alerting us whenever a user accesses them out of office hours.
/var/ossec/etc/rules/local_rules.xml and add this:
<var name="CriticalFolders">C:\\\\Critical_Folder|C:\\\\Critical_Folder2</var> <group name="windows, windows_security,"> <rule id="100111" level="0"> <if_sid>60103</if_sid> <field name="win.system.eventID">^4663$</field> <field name="win.eventdata.objectName">$CriticalFolders</field> <description>Object access information into critical folders</description> <options>no_full_log</options> </rule> <rule id="100112" level="10"> <if_sid>100111</if_sid> <time>5pm - 8am</time> <description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder out of office hours.</description> <options>no_full_log</options> </rule> </group>
- There’s a variable named
CriticalFoldersthat includes every folder you want to monitor.
- The time range is expressed in the timezone of the Wazuh manager.
After restarting your Wazuh agent and manager you are set to monitor access and get alerted:
If you have any questions about this, join our community. Our team and contributors will help you.