File Access Activity Monitoring

File Access Activity Monitoring (FAAM) uses the native Microsoft Audit Detailed File Share auditing to write all 5145 events from a Windows system to the Security Log. When you enable this auditing on a Windows domain, the Insight Agent collects every access event from your files and folders and sends them to InsightIDR.

To set up File Access Activity Monitoring, you’ll need to:

  1. Enable auditing.
  2. Verify the configuration.

At this time, File Access Activity Monitoring is only available on Windows systems and can only track access to files and folders when accessed from a Windows share.

Enable File Access Activity Auditing

You can enable FAAM on the domain level using the Group Policy Management editor or on a single machine using the Local Security Policy tool.

To enable File Access Activity Auditing:

  1. Open the Group Policy Manager editor or Local Security Policy tool. Both tools will display the same options.
  2. Navigate to the following folder path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  3. Select the Object Access policy. The “Subcategory” pane will appear on the right.
  4. Double-click Audit Detailed File Share to open and configure auditing.
  5. Under the “Policy Tab,” check one or both boxes to monitor Success or Failure events.
  6. Click OK to save your changes.

Verify FAAM Configuration

After you enable File Access Activity Auditing, the Insight Agent will collect all of the events with event ID 5145 from the Windows Security Log. These events are created any time a file or folder is accessed from a network share. For more information on this event, see Microsoft documentation here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145.

Logs will appear on the Log Search page five to ten minutes after an event occurs.

To verify this configuration is working:

  1. Trigger an event by accessing a file or folder on the Windows share.
  2. In InsightIDR, go to the Log Search page and select the File Access Activity log set.
  3. Browse the logs to see the file access events.

The following is an example of a File Access Activity log:

1
02 Jan 2019 08:43:38.894{
2
"timestamp": "2019-01-02T14:42:37.850Z",
3
"user": "John Smith Admin",
4
"account": "jsmith_adm",
5
"user_domain": "example.com",
6
"source_asset": "yellow.example.com",
7
"source_address": "192.168.0.162",
8
"service": "Windows File Share",
9
"target_address": "red.example.com",
10
"file_path": "//Public/Documents/Important Notes.txt",
11
"file_name": "Important Notes.txt",
12
"file_extension": "txt",
13
"file_share": "Public",
14
"access_types": "ReadData",
15
"source_data": "{\"sourceName\":\"Microsoft-Windows-Security-Auditing\",\"insertionStrings\":[\"S-1-5-21-4177825978-4092304191-3872814866-1108\",\"jsmith_adm\",\"EXAMPLEDOMAIN\",\"0x280fe8dd\",\"File\",\"192.168.0.000\",\"58321\",\"\\\\\\\\*\\\\Public\",\"\\\\??\\\\C:\\\\FileShare\\\\Public\",\"Documents\\\\Important Notes.txt\",\"0x120089\",\"%%1538\\r\\n\\t\\t\\t\\t%%1541\\r\\n\\t\\t\\t\\t%%4416\\r\\n\\t\\t\\t\\t%%4419\\r\\n\\t\\t\\t\\t%%4423\\r\\n\\t\\t\\t\\t\",\"%%1538:\\t%%1804\\r\\n\\t\\t\\t\\t%%1541:\\t%%1801\\tD:(A;;0x1301bf;;;WD)\\r\\n\\t\\t\\t\\t%%4416:\\t%%1801\\tD:(A;;0x1301bf;;;WD)\\r\\n\\t\\t\\t\\t%%4419:\\t%%1801\\tD:(A;;0x1301bf;;;WD)\\r\\n\\t\\t\\t\\t%%4423:\\t%%1801\\tD:(A;;0x1301bf;;;WD)\\r\\n\\t\\t\\t\\t\"],\"eventCode\":5145,\"computerName\":\"red.example.com\",\"sid\":\"\",\"isDomainController\":false}"

Differences Between FIM and FAAM

Configuring File Access Activity Monitoring is not the same as configuring File Integrity Monitoring (FIM). While FIM has a similar configuration process using the native Microsoft auditing tools, that is the only similarity they share.

The following table shows the differences between FIM and FAAM:

File Integrity Monitoring (FIM)

File Access Activity Monitoring (FAAM)

Individual File/Folder Audit

Yes

No

Microsoft Native Auditing

Yes

Yes

Event ID Collected

Event ID 4663

Event ID 5145

Events Monitored

Modify, create, and delete events only.

All access events

Log Set Name

File Modification Activity

File Access Activity