Hello,
I have Windows Client and Windows DFS Server with multiple shares.
I want to monitor File/folder activities aka File Integrity Monitoring.
I already tried with Winlogbeat by monitoring Event ID 4656 and 4663 but I can't differentiate some access permission between a real user action and computer action, so the logs are very big and I can't drop them without missing some useful data.
I'm now testing Auditbeat on windows and I would like to know if it is possible to monitor specific folders path like this one:
auditbeat.modules:
- module: file_integrity
paths:
- '%userprofile%/Downloads'
recursive: false
I tried also:
paths:
- 'C/Users/*/Downloads'
OR
paths:
- 'C/Users/**/Downloads'
But I get errors:
Failed to add watch {"file_path": "%userprofile%/Downloads", "error": "GetFileAttributes: Le chemin d’accès spécifié est introuvable."}
Is it possible to use some env variable instead of static path ?
If I monitor 'C:\Users' with recursive mode, it logs every action even the one done by the computer itself or apps.
Another solutions would be to know how to differentiate a real user action vs computer action.