The best answer is no, however, we do offer “FIM-esque functionality” via Alert Logic® Log Manager™.
Note: This solution requires additional work from the customer, an uptick in log volume (possible pricing tier jump), and is for Microsoft Windows only.
When Windows is configured to monitor file/directory activity using the Object Access Auditing functionality, it will generate messages for file system activities, such as read and write operations. If the customer enables and sends Windows Object Auditing logs, they can create correlation policies and alerts to notify them of file access, modification, and deletion. This is done by defining a correlation policy that includes:
- Message Types: Windows Successful Object Access
- Properties and Fields: Object Name, Host Name, Object Access Mode, and Object Type
- Correlate by Property or Field Value: Using RegEx to define Host Name, Object Access Mode, etc., is best because you can cast a wider net as opposed to defining each file, host, etc., individually.
In the screenshot below, a correlation policy is shown that is specifically designed to provide FIM functionality based on log events generated by Windows Object Access Auditing. The types of events generated are dependent on the specific Windows auditing policy.
The field Object Access Mode identifies the type of operation being performed on the file/directory, such as read, write, etc. The Object Name field represents the file path and file name. In this example, a regex is being used to detect any changes on a path that contains the string "ogsql," but does not contain temp.txt, which is the log file that it is normally written to.
By default, Windows does not generate events for file system activity. This functionality must be enabled and configured. There are two levels of configuration needed to enable file system auditing: globally enabling file system auditing and directory/file specific configuration indicating the specifics of what is to be audited.
Enable Object Access Auditing with the Auditpol Command Line Tool
- Get the current setting from the location below:
auditpol /get /subcategory:"File System"
- Use the following command to enable access auditing for successful object access (but not failed access):
auditpol /set /subcategory:"File System" /success:enable /failure:disable
- Use the following command to enable access auditing for successful object access and failed access:
auditpol /set /subcategory:"File System" /success:enable /failure:enable
Enable Object Access Auditing for Specific Directories
Object Access Auditing must also be enabled for a specific user/group and directory.