File monitoring is an important part of any APT or malware detection strategy. And file monitoring is a compliance requirement. For instance, for PCI compliance you need the ability to monitor changes to system files and access to credit card data. So it’s time to do a real training for free ™ event on file auditing. In this webinar I will take you on a deep dive of file access auditing in Windows. The general steps in file auditing are:
- Enabling file auditing at the system level
- Configuring folder/file level auditing
- Allowed/denied
- Which users/groups
- Which permissions
- Watching for the appropriate events
- Interpreting the details of the events
We will dive into the details of each one of these steps and do some live demos on my lab system. We will specifically cover event IDs
- 4656 - A handle to an object was requested
- 4658 - The handle to an object was closed
- 4659 - A handle to an object was requested with intent to delete
- 4660 - An object was deleted
- 4663 - An attempt was made to access an object
- 4670 - Permissions on an object were changed
We will look at practical ways to deal with some of the challenges in file auditing. For instance how do you configure consistent audit policy across multiple systems? And how do you limit auditing to specific file types? The NTFS audit policy doesn’t provide support for wildcards. But we’ll look at how you might work around these issues with group policy.
Then of course there is the matter of collecting, analyzing and alerting on file access events. You really need not just a SIEM for this but a SIEM with some real knowledge engineering to make sense of the cryptic events Windows generates.
One of the other big challenges you have to deal with in Windows file auditing is noise. There’s some limited things you can do in audit configuration to reduce noise. But with Windows NTFS file auditing there’s no way to get rid of noise.
Our sponsor, SolarWinds Log & Event Manager (LEM), has responded to this and other challenges in native file auditing by adding purpose-built technology to their LEM agent that performs its own file monitoring and events generation. The cool thing is that thanks to SolarWinds’ event normalization, LEM’s analysis components like filters, alerts and reports treat file access events generated by native NTFS auditing or the LEM agent the same. So you can mix and match native NTFS auditing with LEM file integrity monitoring without creating redundant analysis logic or having to review double the reports.
This is real training for free ™; don’t miss it! Please register now.