www.contoso.se

Cloud and Datacenter Management by Anders Bengtsson

Auditing files in Windows with ACS

I have been doing some tests for file auditing with Audit Collection Services (ACS). Unfortunately Windows file auditing doesn´t really generate informative logs. It is most often the same event ID and the event description is very technical. I did some file operations and reviewed all events in the security event log. I think I have found a way to almost sort all the different file operations in different ACS reports. The first thing you need to do is enable auditing in both a policy and on the folder. I have used the built-in Microsoft Report Builder to create my new ACS reports. You can read more about creating ACS reports here. I have built four reports. You could merge them into one and you can add/remove any parameter you want. It could be nice with relative dates and an input field for user name and object name. One of the first thing I did was match ACS report parameters with parameters in security events, below is the result from that exercise

  • String01 – Object Type
  • String02 – Object Name
  • String03 – Process ID
  • String04 – Process Name
  • String05 – Accesses
  • String06 – Object Server
  • String07 – Handle ID
  • String08 – Transaction ID
  • String09 – Access Mask
  • String10 – Privileges Used for Access Check
  • String11 – Restricted SID Count

For the four reports I use the following filter

  • Contoso – File – Created Files
    • Event ID equals 4656
      • String 09 equals 0x6019f
      • or
      • String 09 equals 0x16019f
  • Contoso – File – Delete
    • Event ID equals 4663
    • String 05 contains DELETE
  • Contoso – File – Modified Files
    • Event ID 4656
      • String 09 equals 0x2019f
      • or
      • String 09 equals 0x12019f
  • Contoso – File – Open/Read Files
    • Event ID equals 4656
      • String 09 equals 0x120089
      • or
      • String 09 equals 0x20089

Summary: You read the step by step guide about ACS reports in my ACS report post and you apply the filter is this post.

« »

© 2019 www.contoso.se. Theme by Anders Norén.