ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    FIM, FAAM, details & False Positives

    Scheduled Pinned Locked Moved Unsolved IT Discussion
    5 Posts 2 Posters 470 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • notverypunnyN
      notverypunny
      last edited by

      Windows environment:

      Does anyone know of any solutions for File Integrity Monitoring and / or File Access Auditing and Monitoring that can differentiate between explorer.exe getting basic file info (example: for a detailed file view or checking file attributes) vs a user actually accessing the file contents.

      I've done some digging and, it looks like the functionality was introduced in Server 2016 / W10 as the "Audit Detailed File Share" group policy option. The only commercial product that I've seen that discusses or seems to leverage this is Rapid7's InsightIDR. Since we know the error code it generates it's reasonable to assume that something like Wazuh or Greylog could be setup to monitor for this event and alert based on it's contents, but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.

      scottalanmillerS 2 Replies Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @notverypunny
        last edited by

        @notverypunny said in FIM, FAAM, details & False Positives:

        but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.

        Wazuh and Greylog ARE off the shelf and in no way whatsoever "rolling your own." Rolling your own means assembling parts that don't do the job alone into a system that does do the job. Totally not what is happening here.

        notverypunnyN 1 Reply Last reply Reply Quote 1
        • notverypunnyN
          notverypunny @scottalanmiller
          last edited by

          @scottalanmiller said in FIM, FAAM, details & False Positives:

          @notverypunny said in FIM, FAAM, details & False Positives:

          but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.

          Wazuh and Greylog ARE off the shelf and in no way whatsoever "rolling your own." Rolling your own means assembling parts that don't do the job alone into a system that does do the job. Totally not what is happening here.

          @scottalanmiller I hear you. But I also know what management is generally willing to go with as far as solutions... I'll almost always propose / suggest the open-source options if they make sense to me, but they rarely win out over the commercial products.

          To come back around to my initial question, what I see is that the Audit Detailed File Share option is an all or nothing deal for the server, so having this activated for a specific department would require a dedicated fileserver, unless there's something that I've missed.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @notverypunny
            last edited by

            @notverypunny said in FIM, FAAM, details & False Positives:

            @scottalanmiller I hear you. But I also know what management is generally willing to go with as far as solutions... I'll almost always propose / suggest the open-source options if they make sense to me, but they rarely win out over the commercial products.

            Just saying, the reason that you gave isn't applicable here. If management is against open source, then say THAT, not something unrelated. If they are truly against rolling their own, then once you inform them that this isn't at all rolling their own, then they'd not consider that. If they are lying about rolling their own and mean open source, don't repeat the misinformation because obviously we have to correct it.

            Never repeat known bad information, that makes it your bad information. Clients tell me incorrect things all of the time, or just flat out lie, but I don't repeat that as is when I know it's false. I either don't repeat it, or I explain "they lie and say X but mean Y".

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @notverypunny
              last edited by

              @notverypunny said in FIM, FAAM, details & False Positives:

              The only commercial product that I've seen that discusses or seems to leverage this is Rapid7's InsightIDR.

              Keep in mind that Greylog is a commercial product and is not open source. It used to be open source, now it is not. They claim to be, but they don't qualify.

              1 Reply Last reply Reply Quote 1
              • 1 / 1
              • First post
                Last post