Wazuh can help you monitor folder access in Windows systems by collecting logs from the
Audit object access group policy.
Open your Windows
Local group policy editor and navigate to
Audit policy. There are different audit policies for you to enable; the one you are looking for is
Audit object access:
Now you need to add it to each folder for which you want to be notified. To do so, open the folder properties and go to
Security > Advanced:
Click on the
Auditing tab and add the rule to monitor user actions:
At this point, whenever a user accesses the folder, Windows will log it under the event ID 4663 :
By default, the event ID 4663 is configured not to be collected. You need to edit the
Security eventchannel localfile in your
C:\Program Files (x86)\ossec-agent\ossec.conf file.
After removing the negation of this EventID value, your localfile should look like the following:
<localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and EventID != 5152 and EventID != 5157]</query> </localfile>
Note: You can also use centralized configuration to apply this change to a group of agents. You can find more information here.
The last part involves adding rules for the EventID to our
CriticalFolders and alerting us whenever a user accesses them out of office hours.
/var/ossec/etc/rules/local_rules.xml and add this:
<var name="CriticalFolders">C:\\\\Critical_Folder|C:\\\\Critical_Folder2</var> <group name="windows, windows_security,"> <rule id="100111" level="0"> <if_sid>60103</if_sid> <field name="win.system.eventID">^4663$</field> <field name="win.eventdata.objectName">$CriticalFolders</field> <description>Object access information into critical folders</description> <options>no_full_log</options> </rule> <rule id="100112" level="10"> <if_sid>100111</if_sid> <time>5pm - 8am</time> <description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder out of office hours.</description> <options>no_full_log</options> </rule> </group>
- There’s a variable named
CriticalFoldersthat includes every folder you want to monitor.
- The time range is expressed in the timezone of the Wazuh manager.
After restarting your Wazuh agent and manager you are set to monitor access and get alerted: