Windows FIM Module - how to use custom path without recursive

Hello,

I have Windows Client and Windows DFS Server with multiple shares.
I want to monitor File/folder activities aka File Integrity Monitoring.

I already tried with Winlogbeat by monitoring Event ID 4656 and 4663 but I can't differentiate some access permission between a real user action and computer action, so the logs are very big and I can't drop them without missing some useful data.

I'm now testing Auditbeat on windows and I would like to know if it is possible to monitor specific folders path like this one:

auditbeat.modules:
- module: file_integrity
  paths:
  - '%userprofile%/Downloads'
  recursive: false

I tried also:

paths:
  - 'C/Users/*/Downloads'

OR

paths:
  - 'C/Users/**/Downloads'

But I get errors:

Failed to add watch	{"file_path": "%userprofile%/Downloads", "error": "GetFileAttributes: Le chemin d’accès spécifié est introuvable."}

Is it possible to use some env variable instead of static path ?

If I monitor 'C:\Users' with recursive mode, it logs every action even the one done by the computer itself or apps.

Another solutions would be to know how to differentiate a real user action vs computer action.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.