Wazuh Windows Folder Access Monitoring
-
So I ended up getting the go-ahead to build this out and for the time being have a stock setup running with the out-of-the box baselines for compliance and security.
Since one of the selling points was to get greater visibility into file and folder access I've been trying to get it to play with the AuditDetailedFileShare settings mentioned in my initial post.
Does anyone have any guides / resources / pointers as far as how I can configure the FAAM aspect of things based event 5145?I've tried adapting the information here: https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/.
I can see the events on the server but can't seem to get them to flow into Wazuh.
I've removed the relevant negation on the agent, and added an entry in the local rules on the server (wazuh-manager). I know that the following rule is pretty wide open and would create a stupid amount of overhead in production, but I'm still at the debugging point of things....
<rule id="100111" level="5"> <field name="win.system.eventID">^5145$</field> <description>Object access information into critical folders</description> </rule>
services have been restarted on file-share server and wazuh-manager
I've played around in the fileshare, creating log entries (event viewer) on the windows host with the desired event ID but am not seeing anything in the events for the agent in the interface on kibana. Am I wrong in thinking that the rule needs to be configured on the manager? Is it supposed to be on the elasticstack/kibana server? I'm sure it'll be one of those "I'm such a dumbass" moments when I get the answer, but if anyone can point me in the right direction it'd be appreciated.