File Integrity Monitoring | User Information - Windows

[andrewkroh]

The file_integrity integration can monitor for file changes, but does not include information about the user that modified the file. This is a significant visibility gap for security analysts and a heavily requested enhancement request.

Research needs to be done to determine how we can capture user information (and preferably the process too) within our FIM integration, and any underlying changes required.

As is mentioned in the linked documentation, today changes to files are watched using ReadDirectoryChangesW.

Meta issue #3310

[gabriellandau]

The Elastic Endpoint uses a filesystem minifilter driver because it needs to be able to intercept/block activity. Drivers are tricky to code correctly, can introduce security vulnerabilities, and can bugcheck/BSOD the machine if an error occurs. Further, all new drivers must now be signed by Microsoft, which adds complexity and fragility to the CI process.

Instead, you should consider the NT Kernel Logger ETW option. You can subscribe to this from user mode. Check out NirSoft's FileActivityWatch and see if it does what you want - it uses that ETW logger.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[mbudge]

Any update on this?

The business I work at are planning on making more use of FIM, so having the user modifying the files would make it easier for users to track who's making changes.

[Erikg346]

+1
I recently came across this integration, it's so good but the user information is a requirement in order to fully implement

[MakoWish]

This is something we also need. We have an issue with some shares being modified, and we have no way of tracking down who has been making these changes. The FIM module shows us that the changes were made, but without a username, we don't have much to go by.

[Erikg346]

I see PR merged but don't see any changes in FIM integration?