{"id":1222,"date":"2010-01-18T12:42:49","date_gmt":"2010-01-18T10:42:49","guid":{"rendered":"http:\/\/contoso.se\/blog\/?p=1222"},"modified":"2010-01-18T13:48:28","modified_gmt":"2010-01-18T11:48:28","slug":"auditing-files-in-windows-with-acs","status":"publish","type":"post","link":"http:\/\/contoso.se\/blog\/?p=1222","title":{"rendered":"Auditing files in Windows with ACS"},"content":{"rendered":"<p>I have been doing some tests for file auditing with Audit Collection Services (ACS). Unfortunately Windows file auditing doesn\u00c2\u00b4t really generate informative logs. It is most often the same event ID and the event description is very technical. I did some file operations and reviewed all events in the security event log. I think I have found a way to almost sort all the different file operations in different ACS reports. The first thing you need to do is enable auditing in both a <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc757864(WS.10).aspx\">policy<\/a> and on the <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/bb727008.aspx\">folder<\/a>. I have used the built-in Microsoft Report Builder to create my new ACS reports. You can read more about creating ACS reports <a href=\"http:\/\/contoso.se\/blog\/?p=288\">here<\/a>. I have built\u00c2\u00a0four reports. You could merge them into one and you can add\/remove any parameter you want. It could be nice with relative dates and an input field for user name and object name. One of the first thing I did was match ACS report parameters with parameters in security events, below is\u00c2\u00a0the result from that exercise<\/p>\n<ul>\n<li>String01 &#8211; Object Type<\/li>\n<li>String02 &#8211; Object Name<\/li>\n<li>String03 &#8211; Process ID<\/li>\n<li>String04\u00c2\u00a0&#8211; Process Name<\/li>\n<li>String05 &#8211; Accesses<\/li>\n<li>String06 &#8211; Object Server<\/li>\n<li>String07 &#8211; Handle ID<\/li>\n<li>String08 &#8211; Transaction ID<\/li>\n<li>String09 &#8211; Access Mask<\/li>\n<li>String10 &#8211; Privileges Used for Access Check<\/li>\n<li>String11 &#8211; Restricted SID Count<\/li>\n<\/ul>\n<p>For the four reports I use the following filter<\/p>\n<ul>\n<li>Contoso &#8211; File &#8211; Created Files\n<ul>\n<li>Event ID equals 4656\n<ul>\n<li>String 09 equals 0x6019f<\/li>\n<li>or<\/li>\n<li>String 09 equals 0x16019f<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Contoso &#8211; File &#8211; Delete\n<ul>\n<li>Event ID equals 4663<\/li>\n<li>String 05 contains DELETE<\/li>\n<\/ul>\n<\/li>\n<li>Contoso &#8211; File &#8211; Modified Files\n<ul>\n<li>Event ID 4656\n<ul>\n<li>String 09 equals 0x2019f<\/li>\n<li>or<\/li>\n<li>String 09 equals 0x12019f<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Contoso &#8211; File &#8211; Open\/Read Files\n<ul>\n<li>Event ID equals 4656\n<ul>\n<li>String 09 equals 0x120089<\/li>\n<li>or<\/li>\n<li>String 09 equals 0x20089<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Summary: You read the step by step guide about ACS reports in my <a href=\"http:\/\/contoso.se\/blog\/?p=288\">ACS report post<\/a> and you apply the filter is this post.<\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2010\/01\/ACSFile01.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-1231  aligncenter\" title=\"ACSFile01\" src=\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2010\/01\/ACSFile01-300x196.jpg\" alt=\"\" width=\"300\" height=\"196\" srcset=\"http:\/\/contoso.se\/blog\/wp-content\/uploads\/2010\/01\/ACSFile01-300x196.jpg 300w, http:\/\/contoso.se\/blog\/wp-content\/uploads\/2010\/01\/ACSFile01.jpg 635w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have been doing some tests for file auditing with Audit Collection Services (ACS). Unfortunately Windows file auditing doesn\u00c2\u00b4t really generate informative logs. It is most often the same event ID and the event description is very technical. I did some file operations and reviewed all events in the security event log. I think I &hellip; <a href=\"http:\/\/contoso.se\/blog\/?p=1222\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[19],"tags":[],"_links":{"self":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1222"}],"collection":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1222"}],"version-history":[{"count":9,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1222\/revisions"}],"predecessor-version":[{"id":1230,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1222\/revisions\/1230"}],"wp:attachment":[{"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1222"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/contoso.se\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}