Auditbeat File Integrity (Windows OS) Doesn't Capture WHO Changed Files?

efaile · February 25, 2021, 4:55pm

We need a File Integrity Monitoring solution for Windows OS's - on the server we use as file servers . To further explain "file servers" - not to monitor remotely across shares which is not supported - but directly on the server.

Got the auditbeat 7.10 file integrity module running and reporting into the Elastic/kibana - and was then shocked that although changes to files are being reported (yay) - the person who DID the change is NOT reporting (bad).

I saw a post from 2019 reporting the same issue and am posting again in hopes that there has been improvement in this area (to make FIM meaningful to most commercial users trying to move workloads into Elastic and turn down other software).

Anything new or planned in the roadmap for FIM?

andrewkroh · February 25, 2021, 10:19pm

The APIs that Auditbeat FIM uses to collect this info do not report any user info. You'd have to use the OS'es auditing feature to get that data or use software that has lower level hooks.

Elastic Endpoint Security does report this info in its file events. IIRC it uses a kernel driver to be able to get this low level filesystem data.

efaile · February 25, 2021, 10:32pm

Thanks Andrew. I'm testing on a brand new file server, so auditing may not be enabled. Is that to say that when audit features of the OS are enabled that Elastic/auditbeat would collect/report those?

I will test this through - posting the follow up question to help others as much as myself as the topic is not thoroughly covered anywhere I have found (yet)!

Appreciate the prompt response - thanks!

andrewkroh · February 26, 2021, 4:30am

Windows auditing events are written to the Security event log (Winlogbeat could read them).

system · March 26, 2021, 6:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.