Wazuh can help you monitor folder access in Windows systems by collecting logs from the Audit object access group policy.

Monitor folder access: Windows configuration

Open your Windows Local group policy editor and navigate to Audit policy. There are different audit policies for you to enable; the one you are looking for is Audit object access:

Monitor Folder Access: Audit object access policy

Now you need to add it to each folder for which you want to be notified. To do so, open the folder properties and go to Security > Advanced:

Monitor Folder Access: Folder properties

Click on the Auditing tab and add the rule to monitor user actions:

Monitor Folder Access: Auditing tab

At this point, whenever a user accesses the folder, Windows will log it under the event ID 4663 :

Monitor Folder Access: Friendly view of event 4663

Wazuh Configuration

Wazuh Agent

By default, the event ID 4663 is configured not to be collected. You need to edit the Security eventchannel localfile in your C:\Program Files (x86)\ossec-agent\ossec.conf file.

After removing the negation of this EventID value, your localfile should look like the following:


  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

Note: You can also use centralized configuration to apply this change to a group of agents. You can find more information here.

Monitor folder access: Wazuh Manager

The last part involves adding rules for the EventID to our CriticalFolders and alerting us whenever a user accesses them out of office hours.

Edit /var/ossec/etc/rules/local_rules.xml and add this:

<var name="CriticalFolders">C:\\\\Critical_Folder|C:\\\\Critical_Folder2</var>

<group name="windows, windows_security,">
  <rule id="100111" level="0">
     <if_sid>60103</if_sid>
     <field name="win.system.eventID">^4663$</field>
     <field name="win.eventdata.objectName">$CriticalFolders</field>
     <description>Object access information into critical folders</description>     
     <options>no_full_log</options>
  </rule>

  <rule id="100112" level="10">
     <if_sid>100111</if_sid>
     <time>5pm - 8am</time>
     <description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder out of office hours.</description>    
     <options>no_full_log</options>
  </rule>
</group>

Notes:

  • There’s a variable named CriticalFolders that includes every folder you want to monitor.
  • The time range is expressed in the timezone of the Wazuh manager.

After restarting your Wazuh agent and manager you are set to monitor access and get alerted:

Monitor Folder Access: Alert summary.

References

If you have any questions about this, join our community. Our team and contributors will help you.