News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
May 26, 2023 strategy

How can I monitor file access on Windows?

By Tamás Burtics

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Why do you want to monitor who accessed a particular file?

Files are one of the primary forms of storing information. It is common practice for companies to store data in files that hold valuable, sometimes sensitive, information. What could this "important" data be? Of course, I am not talking about the company’s last team-building pictures. I’m afraid that’s not what the bad guys are interested in. They will likely be more interested in business plans, financial or personal data.

Besides that, it’s important to see who is acting suspicious within your organization. There are numerous security reasons why you would like to see who accessed or tried to access a particular file or folder.

Monitor assignment of secure access controls

Almost all compliance mandates start with putting protection in place around files containing sensitive data. Questions you may ask:

  • Are the correct permissions assigned for the job role?

  • Is the proper user or group selected during the permission assignment?

  • Are the users attempting to make changes that they are allowed to do so?

Monitor access to and usage of protected data

Compliance is a continual journey where IT must ensure their environment adheres to certain regulations. Your security team should have continuous visibility of who is accessing files, when, and from where. Having this information in real-time is paramount to remaining vigilant against inappropriate access by malicious insiders and external attackers.

Measure access control strength

It’s unfortunate but common for IT to allow Active Directory to evolve organically. Group memberships are rarely attested to, let alone permissions and nested group memberships checked, resulting in users having over-permissions and having access to data they should not have.

Detect breaches

While organizations want to avoid a data breach (and, therefore, a compliance breach), it remains a possibility. Thankfully, as long as the data resides on a Windows file server, there will be definite indicators. If your logging setup is correct, you should be able to discover abnormalities in file activity, like non-standard access times or large amounts of data accessed in a short period.

Enabling file auditing on Windows

There are two simple things you need to do in Windows.

  • Enable Audit Object Access via a Group Policy Object

  • Enable file auditing on a file or folder you want to monitor

Enabling Audit Object Access via a Group Policy Object

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

enabling audit object access
Figure 1. Enabling Audit Object Access in Windows
Note
The above image shows a Local Group Policy Editor in Windows 10. The settings are the same in an Active Directory environment where policy is made domain or forest-wise.

Enabling file auditing on a file or folder you want to monitor

There is a great and simple explanation in the Microsoft documentation about how to enable file auditing on specific files or folders. See, Apply a basic audit policy on a file or folder.

Enabling file auditing will allow the operating system to add two events to the Windows Event Log: Event ID 4663 and Event ID 4656. I will focus on these two events here; specifically, how to get the required information out of these in a way that is easy to understand and process further.

  • Event ID 4663 - An attempt was made to access an object.

  • Event ID 4656 - A handle to an object was requested.

There is official documentation and explanation in the Microsoft documentation about them: Event ID 4663 and Event IT 4656.

How can NXLog help you in auditing your files?

Once you finish the above and the events in question are present in the Windows Event Log, you can fire up NXLog Enterprise Edition and see what these logs look like when collected. For testing, let’s collect the log record with all the original data and see what information is available.

Example 1. Collecting Event ID 4663 in its original form

This configuration collects Event ID 4656 and Event ID 4663 as is. I only set the configuration to present the output in JSON format so the data is more readable. JSON is also an excellent choice if you want to process it further.

<Extension json>
    Module         xm_json
    PrettyPrint    TRUE
</Extension>

<Input fileaudit>
    Module         im_msvistalog
        <QueryXML>
            <QueryList>
            <Query Id="0" Path="Security">
            <Select Path="Security">*[System[(EventID=4656 or EventID=4663)]]</Select>
            </Query>
            </QueryList>
        </QueryXML>
</Input>

The output is in JSON format. As you can see, the result includes too much information for our needs. Nevertheless, it is a good example; I will eliminate the unnecessary fields in my next example.

{
    "EventTime": "2023-05-02T00:51:53.200993-07:00",
    "Hostname": "IMPORTANT-COMPUTER",
    "Keywords": "9232379236109516800",
    "LevelValue": 0,
    "EventType": "AUDIT_SUCCESS",
    "SeverityValue": 2,
    "Severity": "INFO",
    "EventID": 4663,
    "SourceName": "Microsoft-Windows-Security-Auditing",
    "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "Version": 1,
    "TaskValue": 12800,
    "OpcodeValue": 0,
    "RecordNumber": 866208,
    "ExecutionProcessID": 4,
    "ExecutionThreadID": 7792,
    "Channel": "Security",
    "Message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-12-1-3226568308-1140053887-2796057524-3382768311\r\n\tAccount Name:\t\tJohnDoe\r\n\tAccount Domain:\t\tNXLog\r\n\tLogon ID:\t\t0x3D62A\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\test\r\n\tHandle ID:\t\t0x2960\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x11a0\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadData (or ListDirectory)\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x1",
    "Category": "File System",
    "Opcode": "Info",
    "Level": "Information",
    "SubjectUserSid": "S-1-12-1-3226568308-1140053887-2796057524-3382768311",
    "SubjectUserName": "JohnDoe",
    "SubjectDomainName": "NXLog",
    "SubjectLogonId": "0x3d62a",
    "ObjectServer": "Security",
    "ObjectType": "File",
    "ObjectName": "C:\\test",
    "HandleId": "0x2960",
    "AccessList": "%%4416\n\t\t\t\t",
    "AccessMask": "0x1",
    "ProcessId": "0x11a0",
    "ProcessName": "C:\\Windows\\explorer.exe",
    "ResourceAttributes": "S:AI",
    "EventReceivedTime": "2023-05-02T00:51:54.825393-07:00",
    "SourceModuleName": "fileaudit",
    "SourceModuleType": "im_msvistalog"
}
Example 2. Collecting Event ID 4663 and trimming the event fields

This configuration builds on the previous one. It collects the same Event IDs, but I added the xm_rewrite module to trim unnecessary fields and only retain the fields we need. This is important not only from the manageability point of view but from the perspective of data storage size on large scales.

Within the xm_rewrite module, the Keep directive is used to keep the selected fields, and the Rename directive is utilized to rename some of the fields to more obvious ones.

At the end of the im_msvistalog module block, I included a line to instruct the module to use the configuration in the xm_rewrite module block to process the data.

The renaming might not be suitable for your environment, and I solely used the naming to represent the possibilities that NXLog Enterprise Edition can give you.

<Extension json>
    Module         xm_json
    PrettyPrint    TRUE
</Extension>

<Extension rewrite>
    Module         xm_rewrite
    Keep           EventTime ,Hostname, EventType, EventID, Category, SubjectUserName, SubjectDomainName, ObjectType, ObjectName,
    Rename         EventTime, When 
    Rename         Hostname, Where
    Rename         EventType, Result
    Rename         SubjectUserName, Who
    Rename         SubjectDomainName, DomainName
</Extension>

<Input fileaudit>
    Module         im_msvistalog
        <QueryXML>
            <QueryList>
            <Query Id="0" Path="Security">
            <Select Path="Security">*[System[(EventID=4656 or EventID=4663)]]</Select>
            </Query>
            </QueryList>
        </QueryXML>
    Exec           rewrite->process();
</Input>

The output is in JSON format but very different from the previous one. With a simple configuration change, I filtered out what was unnecessary in our case. The example speaks for itself; you can see how much more readable it is.

In addition, the difference between the two output files is 1.9kB versus 278 bytes (on my file system), the latter being seven times smaller than the former. Think about your last SIEM invoice; you’ll then understand why the size of log files matter, and how NXLog Enterprise Edition can make a huge difference in the cost of log management.

{
    "When": "2023-04-27T22:52:26.138469-07:00",
    "Where": "IMPORTANT-COMPUTER",
    "Result": "AUDIT_SUCCESS",
    "EventID": 4663,
    "Category": "File System",
    "Who": "JohnDoe",
    "DomainName": "NXLog",
    "ObjectType": "File",
    "ObjectName": "C:\\test"
}

Conclusion

Apart from restating the obvious that monitoring file access is paramount, it is also relatively simple with the right tool. With NXLog Enterprise Edition, you can easily extract the data from Windows Event Log, trim out the noisy data, and at the same time do the finance department a favor by reducing the size of data you send to your SIEM.

Tip
You can also use the techniques described here to trim any other entries from the Windows Event Log.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • security
  • strategy
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Making the most of Windows Event Forwarding for centralized log collection
6 minutes | December 17, 2018
DNS Log Collection on Windows
8 minutes | May 28, 2020
Security logging on Windows - beyond 4625
5 minutes | June 28, 2022

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us