{"id":11855,"date":"2022-07-30T08:53:21","date_gmt":"2022-07-30T05:53:21","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11855"},"modified":"2024-03-09T16:16:02","modified_gmt":"2024-03-09T13:16:02","slug":"monitor-changes-to-critical-files-on-windows-systems-using-wazuh-and-elk","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/monitor-changes-to-critical-files-on-windows-systems-using-wazuh-and-elk\/","title":{"rendered":"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to monitor changes to critical files on Windows systems using Wazuh and ELK Stack.<em> <\/em>File operations are logged when a file is created, updated, overwritten or deleted. Such file changes events are useful for monitoring files under the directories such as the startup folders, download, temporary directories or any other custom directory<em>.<\/em> File\/Folder activities are part of the <em><a href=\"https:\/\/documentation.wazuh.com\/current\/learning-wazuh\/detect-fs-changes.html\" target=\"_blank\" rel=\"noreferrer noopener\">file integrity monitoring (FIM) and registry change monitoring<\/a><\/em>. Thus, to detect changes to these critical files, file integrity monitoring against the folder where these critical files resides needs to be enabled.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK<\/h2>\n\n\n\n<p>In order to monitor changes to critical files on Windows systems, you need to collect the events associated with the changes made and push them to Wazuh Manager for visualization on Kibana Wazuh app.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Integrate Wazuh Manager with ELK Stack<\/h3>\n\n\n\n<p>Thus before you begin, ensure that you have ELK Stack integrated with Wazuh manager and is up and running. See example tutorials below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/integrate-wazuh-manager-with-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate Wazuh Manager with ELK Stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-server-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh Server on Rocky Linux 8<\/a><\/p>\n\n\n\n<p>NOTE: We are running ELK 7.17.0 and Wazuh Manager 4.3.6.<\/p>\n\n\n\n<p>Kibana (ELK) version;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/usr\/share\/kibana\/package.json | grep version<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  \"version\": \"7.17.0\",<\/code><\/pre>\n\n\n\n<p>Wazuh Manager version;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/ossec\/bin\/wazuh-control info | grep WAZUH_VERSION<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>WAZUH_VERSION=\"v4.3.6\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Wazuh Agents on Windows Systems<\/h3>\n\n\n\n<p>In this example setup, I will be using Windows 10 system for demonstration purposes.<\/p>\n\n\n\n<p>To install Wazuh agent on Windows 10 and automatically add it to Wazuh manager, then;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login to Kibana and navigate to Wazuh App &gt; Agents &gt; Deploy a new agent.<\/li>\n\n\n\n<li>Choose the Operating System, in this example is Windows.<\/li>\n\n\n\n<li>Set the Wazuh server address<\/li>\n\n\n\n<li>You can leave other settings default;<\/li>\n<\/ul>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/add-windows-wazuh-agent.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1894\" height=\"943\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/add-windows-wazuh-agent.png\" alt=\"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK\" class=\"wp-image-13554\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/add-windows-wazuh-agent.png?v=1658854593 1894w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/add-windows-wazuh-agent-768x382.png?v=1658854593 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/add-windows-wazuh-agent-1536x765.png?v=1658854593 1536w\" sizes=\"(max-width: 1894px) 100vw, 1894px\" \/><\/figure><\/a><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>scroll down and under Install and enroll the agent, copy the Windows Wazuh agent install command;<\/li>\n<\/ul>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-wazuh-agent-install-command.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1898\" height=\"935\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-wazuh-agent-install-command.png\" alt=\"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK\" class=\"wp-image-13555\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-wazuh-agent-install-command.png?v=1658854732 1898w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-wazuh-agent-install-command-768x378.png?v=1658854732 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-wazuh-agent-install-command-1536x757.png?v=1658854732 1536w\" sizes=\"(max-width: 1898px) 100vw, 1898px\" \/><\/figure><\/a><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code>Invoke-WebRequest -Uri `\nhttps:\/\/packages.wazuh.com\/4.x\/windows\/wazuh-agent-4.3.6-1.msi `\n-OutFile ${env:tmp}\\wazuh-agent-4.3.6.msi; msiexec.exe \/i ${env:tmp}\\wazuh-agent-4.3.6.msi `\n\/q WAZUH_MANAGER='192.168.58.22' WAZUH_REGISTRATION_SERVER='192.168.58.22' <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next, login to your Windows and open Powershell as administrator.<\/li>\n\n\n\n<li>Copy and paste, and execute the command above on the Powershell.<\/li>\n\n\n\n<li>Once the installation is done, start the Wazuh agent service.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>NET START WazuhSvc<\/code><\/pre>\n\n\n\n<p>It should also be showing on the Kibana Wazuh App.<\/p>\n\n\n\n<p>To confirm on Wazuh Manager command line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/ossec\/bin\/agent_control -l<\/code><\/pre>\n\n\n\n<p>You should see it among the active agents.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Wazuh agent_control. List of available agents:\n   ID: 000, Name: debian11 (server), IP: 127.0.0.1, Active\/Local\n   <strong>ID: 001, Name: DESKTOP-JQ6I3Q8, IP: any, Active<\/strong>\n\nList of agentless devices:<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enable File Integrity Monitoring on Folders Containing Critical Files<\/h3>\n\n\n\n<p>By default, Wazuh enables file integrity monitoring for some system files as defined in the <code>&lt;!-- File integrity monitoring --&gt;<\/code> section of the <code><strong>ossec.conf<\/strong><\/code> configuration file;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n  &lt;!-- File integrity monitoring -->\n  &lt;syscheck>\n\n    &lt;disabled>no&lt;\/disabled>\n\n    &lt;!-- Frequency that syscheck is executed default every 12 hours -->\n    &lt;frequency>43200&lt;\/frequency>\n\n    &lt;!-- Default files to be monitored. -->\n    &lt;directories recursion_level=\"0\" restrict=\"regedit.exe$|system.ini$|win.ini$\">%WINDIR%&lt;\/directories>\n\n    &lt;directories recursion_level=\"0\" restrict=\"at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$\">%WINDIR%\\SysNative&lt;\/directories>\n    &lt;directories recursion_level=\"0\">%WINDIR%\\SysNative\\drivers\\etc&lt;\/directories>\n    &lt;directories recursion_level=\"0\" restrict=\"WMIC.exe$\">%WINDIR%\\SysNative\\wbem&lt;\/directories>\n    &lt;directories recursion_level=\"0\" restrict=\"powershell.exe$\">%WINDIR%\\SysNative\\WindowsPowerShell\\v1.0&lt;\/directories>\n    &lt;directories recursion_level=\"0\" restrict=\"winrm.vbs$\">%WINDIR%\\SysNative&lt;\/directories>\n\n    &lt;!-- 32-bit programs. -->\n    &lt;directories recursion_level=\"0\" restrict=\"at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$\">%WINDIR%\\System32&lt;\/directories>\n    &lt;directories recursion_level=\"0\">%WINDIR%\\System32\\drivers\\etc&lt;\/directories>\n    &lt;directories recursion_level=\"0\" restrict=\"WMIC.exe$\">%WINDIR%\\System32\\wbem&lt;\/directories>\n    &lt;directories recursion_level=\"0\" restrict=\"powershell.exe$\">%WINDIR%\\System32\\WindowsPowerShell\\v1.0&lt;\/directories>\n    &lt;directories recursion_level=\"0\" restrict=\"winrm.vbs$\">%WINDIR%\\System32&lt;\/directories>\n\n    &lt;directories realtime=\"yes\">%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup&lt;\/directories>\n\n    &lt;ignore>%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\desktop.ini&lt;\/ignore>\n\n    &lt;ignore type=\"sregex\">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$&lt;\/ignore>\n\n    &lt;!-- Windows registry entries to monitor. -->\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\batfile&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\cmdfile&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\comfile&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\exefile&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\piffile&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\AllFilesystemObjects&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Classes\\Folder&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Classes\\Protocols&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Policies&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Security&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer&lt;\/windows_registry>\n\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurePipeServers\\winreg&lt;\/windows_registry>\n\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce&lt;\/windows_registry>\n    &lt;windows_registry>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\URL&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows&lt;\/windows_registry>\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon&lt;\/windows_registry>\n\n    &lt;windows_registry arch=\"both\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components&lt;\/windows_registry>\n\n    &lt;!-- Windows registry entries to ignore. -->\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Users&lt;\/registry_ignore>\n    &lt;registry_ignore type=\"sregex\">\\Enum$&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpsSvc\\Parameters\\AppCs&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpsSvc\\Parameters\\PortKeywords\\DHCP&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpsSvc\\Parameters\\PortKeywords\\IPTLSIn&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpsSvc\\Parameters\\PortKeywords\\IPTLSOut&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpsSvc\\Parameters\\PortKeywords\\RPC-EPMap&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\MpsSvc\\Parameters\\PortKeywords\\Teredo&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\PolicyAgent\\Parameters\\Cache&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx&lt;\/registry_ignore>\n    &lt;registry_ignore>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\ADOVMPPackage\\Final&lt;\/registry_ignore>\n\n    &lt;!-- Frequency for ACL checking (seconds) -->\n    &lt;windows_audit_interval>60&lt;\/windows_audit_interval>\n\n    &lt;!-- Nice value for Syscheck module -->\n    &lt;process_priority>10&lt;\/process_priority>\n\n    &lt;!-- Maximum output throughput -->\n    &lt;max_eps>100&lt;\/max_eps>\n\n    &lt;!-- Database synchronization settings -->\n    &lt;synchronization>\n      &lt;enabled>yes&lt;\/enabled>\n      &lt;interval>5m&lt;\/interval>\n      &lt;max_interval>1h&lt;\/max_interval>\n      &lt;max_eps>10&lt;\/max_eps>\n    &lt;\/synchronization>\n  &lt;\/syscheck>\n<\/code><\/pre>\n\n\n\n<p>So how can you add your custom folders in to the configuration for file integrity monitoring?<\/p>\n\n\n\n<p>Let&#8217;s assume we have a folder, <code>C:\\FIM<\/code>, for example, that you would like to monitor all the changes in the files within it, then you can add the following configuration line into the <code><strong>&lt;syscheck&gt; &lt;\/syscheck&gt;<\/strong><\/code> section.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;directories check_all=\"yes\" realtime=\"yes\" report_changes=\"yes\"&gt;C:\\FIM&lt;\/directories&gt;<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>check_all<\/code><\/strong>: Enables the following check_* options; <code>check_sum, check_sha1sum, check_md5sum, check_size, check_owner, check_group, check_perm<\/code>.<\/li>\n\n\n\n<li><strong><code>realtime<\/code><\/strong>: Enables realtime\/continuous monitoring.<\/li>\n\n\n\n<li><code><strong>report_changes<\/strong><\/code>: Report diffs of file changes\/registry value changes.<\/li>\n<\/ul>\n\n\n\n<p>This is how I placed the above line in the <code>C:\\Program Files (x86)\\ossec-agent\\ossec.conf<\/code>;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n  &lt;!-- File integrity monitoring -->\n  &lt;syscheck>\n\n    &lt;disabled>no&lt;\/disabled>\n\n    &lt;!-- Frequency that syscheck is executed default every 12 hours -->\n    &lt;frequency>43200&lt;\/frequency>\n    \n    &lt;!-- Custom Folder -->\n<strong>    &lt;directories check_all=\"yes\" realtime=\"yes\" report_changes=\"yes\">C:\\FIM&lt;\/directories>\n<\/strong>\n    &lt;!-- Default files to be monitored. -->\n    &lt;directories recursion_level=\"0\" restrict=\"regedit.exe$|system.ini$|win.ini$\">%WINDIR%&lt;\/directories>\n...\n<\/code><\/pre>\n\n\n\n<p>Once you have made the changes to the configuration file, restart the agent. You can execute the command below on Powershell as administrator;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Restart-Service WazuhSvc<\/code><\/pre>\n\n\n\n<p>Check the status of the service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-Service WazuhSvc<\/code><\/pre>\n\n\n\n<p>If the service stops for any reason, be sure to check the agent logs to find out what the problem is.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Simulate Changes to Critical Files;<\/h3>\n\n\n\n<p>Under our custom folder, <code>C:\\FIM<\/code>, we have two files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls C:\\FIM<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\n\n    Directory: C:\\FIM\n\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----         7\/30\/2022   7:40 AM            667 file001.txt\n-a----         7\/30\/2022   7:40 AM            667 file002.txt\n<\/code><\/pre>\n\n\n\n<p>So, try to make some changes in the file001.txt and file002.txt.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using powershell, i can do it using echo command;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code> echo \"This is a tes FIM line 001\" &gt;&gt; 'C:\\FIM\\file001.txt'<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delete some lines on file002.txt<\/li>\n\n\n\n<li>Create a new file<\/li>\n\n\n\n<li>Delete newly created file<\/li>\n\n\n\n<li>e.t.c<\/li>\n<\/ul>\n\n\n\n<p>Immediately, you should be able to see the changes on the Wazuh dashboard. Select the respective agent and navigate to <strong>integrity monitoring<\/strong> dashboard;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-dashboard.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1903\" height=\"889\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-dashboard.png\" alt=\"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK\" class=\"wp-image-13594\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-dashboard.png?v=1659159936 1903w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-dashboard-768x359.png?v=1659159936 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-dashboard-1536x718.png?v=1659159936 1536w\" sizes=\"(max-width: 1903px) 100vw, 1903px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Let&#8217;s check the related events  under <strong>Events<\/strong> tab for more information;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-events.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1896\" height=\"888\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-events.png\" alt=\"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK\" class=\"wp-image-13596\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-events.png?v=1659159999 1896w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-events-768x360.png?v=1659159999 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/windows-file-integrity-events-1536x719.png?v=1659159999 1536w\" sizes=\"(max-width: 1896px) 100vw, 1896px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>As you can see, it shows files added, deleted and those modified.<\/p>\n\n\n\n<p>Let&#8217;s check the file modification events. For file001.txt, we added a line. For file002.txt, we removed some line.<\/p>\n\n\n\n<p>So, expand these two events. You will notice under <code>syscheck.diffs<\/code> field you will see what changes are actually made on the files.<\/p>\n\n\n\n<p>File001.txt;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification-events.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1423\" height=\"3172\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification-events.png\" alt=\"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK\" class=\"wp-image-13598\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification-events.png?v=1659160032 1423w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification-events-768x1712.png?v=1659160032 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification-events-689x1536.png?v=1659160032 689w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification-events-919x2048.png?v=1659160032 919w\" sizes=\"(max-width: 1423px) 100vw, 1423px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>File002.txt;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification_events.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1540\" height=\"2788\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification_events.png\" alt=\"Monitor Changes to Critical Files on Windows Systems using Wazuh and ELK\" class=\"wp-image-13599\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification_events.png?v=1659160058 1540w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification_events-768x1390.png?v=1659160058 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification_events-848x1536.png?v=1659160058 848w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/07\/file-modification_events-1131x2048.png?v=1659160058 1131w\" sizes=\"(max-width: 1540px) 100vw, 1540px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Awesome, isn&#8217;t it?<\/p>\n\n\n\n<p>And that is how you can easily monitor changes to critical files on Windows systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-process-creation-events-on-windows-systems-using-wazuh-and-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Process Creation Events on Windows Systems using Wazuh and ELK stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/process-modsecurity-logs-using-wazuh\/\" target=\"_blank\" rel=\"noreferrer noopener\">Process ModSecurity Logs using Wazuh<\/a><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/03\/wazuh-process-creation-events.png\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to monitor changes to critical files on Windows systems using Wazuh and ELK Stack. File operations are logged<\/p>\n","protected":false},"author":3,"featured_media":13594,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,34],"tags":[5599,5598,5600,5602,5601],"class_list":["post-11855","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-security","tag-detect-file-changes-using-wazuh-on-windows","tag-monitor-changes-to-critical-files-on-windows-systems-using-wazuh-and-elk","tag-monitor-file-changes-using-wazuh-on-windows","tag-monitoring-file-integrity-with-wazuh","tag-windows-file-integrity-monitoring-with-wazuh","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11855"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11855"}],"version-history":[{"count":22,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11855\/revisions"}],"predecessor-version":[{"id":20583,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11855\/revisions\/20583"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/13594"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}