Thanks a lot Bruce,
Its working great...
-Deepak.
On Wednesday, April 11, 2018 at 8:43:55 PM UTC+5:30, Bruce Westbrook wrote:
>
> Sure thing. There are three steps involved:
>
> 1. Enable Windows Audit Policy for File System Objects
> 2. Configure the server's audit policy appropriately for the files and/or
> directories that need to be watched
> 3. Configure custom rules in OSSEC to trigger on file add/change/delete
> events
>
> I attached a Word doc that contains the details that I copied/pasted from
> my own OSSEC procedures. Once completed and assuming you have email
> notifications enabled, you'll see real-time email alerts like this, which
> will give you the user account name:
>
> OSSEC HIDS Notification.
> 2018 Apr 11 09:57:22
>
>
> Received From: ([SERVER]) any->WinEvtLog
> Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
> User: [USER_ACCOUNT]
> Portion of the log(s):
>
>
> 2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
> Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to
> an object was requested with intent to delete. Subject: Security ID: [
> SID] Account Name: [USER_ACCOUNT] Account Domain: [DOMAIN] Logon ID:
> 0xa4dbac32 Object: Object Server: Security Object Type: File Object
> Name: [FULL_PATH_AND_FILE_NAME] Handle ID: 0x0 Process Information:
> Process ID: 0x4 Access Request Information: Transaction ID: {00000000-
> 0000-0000-0000-000000000000} Accesses: %%1537 %%4423 Access
> Mask: 0x10080 Privileges Used for Access Check: -
>
>
> Hope that works for what you need!
>
> - Bruce
>
>
> On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4,
> [email protected] wrote:
>>
>>
>> Yes Bruce,
>> this is for windows agent. can u let me know about that.
>>
>> - Deepak.
>>
>> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook
>> wrote:
>>>
>>> Is this for a Windows agent or Linux agent?
>>>
>>> If Windows I can let you know what I've done to accomplish this, which
>>> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing
>>> and customized OSSEC rules.
>>>
>>> - Bruce
>>>
>>>
>>> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4,
>>> [email protected] wrote:
>>>>
>>>> I'm using OSSEC HIDS
>>>>
>>>> from this i'm getting the alerts based on all events. but, i need to
>>>> know a *user whom modified the specific file*.
>>>> is this possible?
>>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
