How to monitor folder access on Windows

| by Elwali Karkoub | Wazuh 3.11
Post icon

Wazuh can help you monitor folder access in Windows systems by collecting logs from the Audit object access group policy.

Monitor folder access: Windows configuration

Open your Windows Local group policy editor and navigate to Audit policy. There are different audit policies for you to enable; the one you are looking for is Audit object access:

Now you need to add it to each folder for which you want to be notified. To do so, open the folder properties and go to Security > Advanced:

Click on the Auditing tab and add the rule to monitor user actions:

At this point, whenever a user accesses the folder, Windows will log it under the event ID 4663 :

Wazuh Configuration

Wazuh Agent

By default, the event ID 4663 is configured not to be collected. You need to edit the Security eventchannel localfile in your C:\Program Files (x86)\ossec-agent\ossec.conf file.

After removing the negation of this EventID value, your localfile should look like the following:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
    EventID != 4656 and EventID != 4658 and EventID != 4660 and
    EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
    EventID != 5152 and EventID != 5157]</query>
</localfile>

Note: You can also use centralized configuration to apply this change to a group of agents. You can find more information here.

Monitor folder access: Wazuh Manager

The last part involves adding rules for the EventID to our CriticalFolders and alerting us whenever a user accesses them out of office hours.

Edit /var/ossec/etc/rules/local_rules.xml and add this:

<var name="CriticalFolders">C:\\\\Critical_Folder|C:\\\\Critical_Folder2</var>

<group name="windows, windows_security,">
  <rule id="100111" level="0">
     <if_sid>60103</if_sid>
     <field name="win.system.eventID">^4663$</field>
     <field name="win.eventdata.objectName">$CriticalFolders</field>
     <description>Object access information into critical folders</description>     
     <options>no_full_log</options>
  </rule>

  <rule id="100112" level="10">
     <if_sid>100111</if_sid>
     <time>5pm - 8am</time>
     <description>$(win.eventdata.subjectUserName) accessed $(win.eventdata.objectName) folder out of office hours.</description>    
     <options>no_full_log</options>
  </rule>
</group>

Notes:

  • There’s a variable named CriticalFolders that includes every folder you want to monitor.
  • The time range is expressed in the timezone of the Wazuh manager.

After restarting your Wazuh agent and manager you are set to monitor access and get alerted:

References

If you have any questions about this, join our community. Our team and contributors will help you.