FIM, FAAM, details & False Positives
-
Windows environment:
Does anyone know of any solutions for File Integrity Monitoring and / or File Access Auditing and Monitoring that can differentiate between explorer.exe getting basic file info (example: for a detailed file view or checking file attributes) vs a user actually accessing the file contents.
I've done some digging and, it looks like the functionality was introduced in Server 2016 / W10 as the "Audit Detailed File Share" group policy option. The only commercial product that I've seen that discusses or seems to leverage this is Rapid7's InsightIDR. Since we know the error code it generates it's reasonable to assume that something like Wazuh or Greylog could be setup to monitor for this event and alert based on it's contents, but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.
-
@notverypunny said in FIM, FAAM, details & False Positives:
but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.
Wazuh and Greylog ARE off the shelf and in no way whatsoever "rolling your own." Rolling your own means assembling parts that don't do the job alone into a system that does do the job. Totally not what is happening here.
-
@scottalanmiller said in FIM, FAAM, details & False Positives:
@notverypunny said in FIM, FAAM, details & False Positives:
but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.
Wazuh and Greylog ARE off the shelf and in no way whatsoever "rolling your own." Rolling your own means assembling parts that don't do the job alone into a system that does do the job. Totally not what is happening here.
@scottalanmiller I hear you. But I also know what management is generally willing to go with as far as solutions... I'll almost always propose / suggest the open-source options if they make sense to me, but they rarely win out over the commercial products.
To come back around to my initial question, what I see is that the Audit Detailed File Share option is an all or nothing deal for the server, so having this activated for a specific department would require a dedicated fileserver, unless there's something that I've missed.
-
@notverypunny said in FIM, FAAM, details & False Positives:
@scottalanmiller I hear you. But I also know what management is generally willing to go with as far as solutions... I'll almost always propose / suggest the open-source options if they make sense to me, but they rarely win out over the commercial products.
Just saying, the reason that you gave isn't applicable here. If management is against open source, then say THAT, not something unrelated. If they are truly against rolling their own, then once you inform them that this isn't at all rolling their own, then they'd not consider that. If they are lying about rolling their own and mean open source, don't repeat the misinformation because obviously we have to correct it.
Never repeat known bad information, that makes it your bad information. Clients tell me incorrect things all of the time, or just flat out lie, but I don't repeat that as is when I know it's false. I either don't repeat it, or I explain "they lie and say X but mean Y".
-
@notverypunny said in FIM, FAAM, details & False Positives:
The only commercial product that I've seen that discusses or seems to leverage this is Rapid7's InsightIDR.
Keep in mind that Greylog is a commercial product and is not open source. It used to be open source, now it is not. They claim to be, but they don't qualify.
