You're welcome. Glad to hear it works for someone else and not just me! :-)
On Thu, Apr 12, 2018 at 9:46 AM, <[email protected]> wrote: > Thanks a lot Bruce, > > Its working great... > > -Deepak. > > > On Wednesday, April 11, 2018 at 8:43:55 PM UTC+5:30, Bruce Westbrook wrote: >> >> Sure thing. There are three steps involved: >> >> 1. Enable Windows Audit Policy for File System Objects >> 2. Configure the server's audit policy appropriately for the files and/or >> directories that need to be watched >> 3. Configure custom rules in OSSEC to trigger on file add/change/delete >> events >> >> I attached a Word doc that contains the details that I copied/pasted from >> my own OSSEC procedures. Once completed and assuming you have email >> notifications enabled, you'll see real-time email alerts like this, which >> will give you the user account name: >> >> OSSEC HIDS Notification. >> 2018 Apr 11 09:57:22 >> >> >> Received From: ([SERVER]) any->WinEvtLog >> Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED." >> User: [USER_ACCOUNT] >> Portion of the log(s): >> >> >> 2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft- >> Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to >> an object was requested with intent to delete. Subject: Security ID: [ >> SID] Account Name: [USER_ACCOUNT] Account Domain: [DOMAIN] Logon ID: >> 0xa4dbac32 Object: Object Server: Security Object Type: File Object >> Name: [FULL_PATH_AND_FILE_NAME] Handle ID: 0x0 Process Information: >> Process ID: 0x4 Access Request Information: Transaction ID: {00000000- >> 0000-0000-0000-000000000000} Accesses: %%1537 %%4423 Access >> Mask: 0x10080 Privileges Used for Access Check: - >> >> >> Hope that works for what you need! >> >> - Bruce >> >> >> On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4, >> [email protected] wrote: >>> >>> >>> Yes Bruce, >>> this is for windows agent. can u let me know about that. >>> >>> - Deepak. >>> >>> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook >>> wrote: >>>> >>>> Is this for a Windows agent or Linux agent? >>>> >>>> If Windows I can let you know what I've done to accomplish this, which >>>> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing >>>> and customized OSSEC rules. >>>> >>>> - Bruce >>>> >>>> >>>> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, >>>> [email protected] wrote: >>>>> >>>>> I'm using OSSEC HIDS >>>>> >>>>> from this i'm getting the alerts based on all events. but, i need to >>>>> know a *user whom modified the specific file*. >>>>> is this possible? >>>>> >>>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
