We use cookies to ensure that we give you the best experience on our website. By continuing your visit on the website, you consent to the use of the cookies. If you want to find out more about the cookies we use, you can access our Privacy Policy.
OK
Jordan Splunk User Group

Splunk File Integrity Monitoring (FIM) Implementation Guide

Overview

File Integrity Monitoring (FIM) detects unauthorized or unexpected changes to files on critical systems.
This article explains how to configure Windows Security Auditing and the Splunk Universal Forwarder (UF) to collect and analyze file activity events—Create, Modify, and Delete—in Splunk Enterprise or Splunk Enterprise Security (ES).

Prerequisites

- Windows Server 2019/2022 or Windows 10/11
- Splunk Universal Forwarder installed and connected to your indexer
- Administrative rights to edit Group Policy or Local Security Policy
- Splunk Add-on for Windows (TA-Windows) on indexer and search head
- Dedicated index (e.g., index=fim) for these events

Enable Object Access Auditing (via Group Policy)

1. Open Group Policy Management Console (GPMC) → edit or create a GPO that applies to the target system.
2. Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access
3. Enable:
   • Audit File System – Success and Failure
   • (Optional) Audit File Share – Success and Failure
4. Run gpupdate /force or reboot to apply.

Configure Folder-Level Auditing (SACL)

1. Right-click the target folder → Properties → Security → Advanced → Auditing → Add.
2. Principal = Authenticated Users (or specific group).
3. Type = Success; Applies to = This folder, subfolders, and files.
4. Select permissions: Create files / Write data, Modify, Delete, Write attributes.
5. Audit only business-critical folders to avoid log volume overload.

Verify Audit Policy

auditpol /get /subcategory:"File System"
Expected: Success and Failure

SPL Searches for File Actions

File Creation
index=fim EventCode=4663
| where match(AccessMask,"(?i)^0x0*2$|^0x0*6$")
| eventstats min(_time) as firstSeen by ObjectName
| where time=firstSeen
| eval action="Create"
| table time action SubjectUserName ObjectName ProcessName

File Modification
index=fim EventCode=4663
| where match(AccessMask,"(?i)^0x0*2$|^0x0*6$")
| eval action="Modify"
| table time action SubjectUserName ObjectName ProcessName

File Deletion
(sourcetype=XmlWinEventLog:Security OR sourcetype=WinEventLog:Security)
(EventCode=4660 OR EventCode=4663 OR EventCode=4656 OR EventCode=4658)
| rex field=raw "(?i)<Data Name='HandleId'>\s*(?<HandleId>0x[0-9a-f]+)"
| rex field=_raw "(?i)<Data Name='ObjectName'>\s*(?<Obj>[^<]+)"
| transaction HandleId maxspan=10m maxpause=2m keepevicted=true
| eval File=mvindex(mvfilter(isnotnull(Obj)),-1)
| where mvfind(EventCode,"4660")>=0
| where match(File,".*\\.(?i:docx|doc|xls|xlsx|txt)$")
    AND NOT match(File,"\\(~\$|~WR[DL]|Temp|Recycle\.Bin|AppData)")
| search NOT ProcessName="C:\Windows\explorer.exe"
| eval action="DeleteConfirmed"
| table _time action SubjectUserName File ProcessName HandleId

Testing and Validation

Action | Expected Event | Result
Create file | 4663 (WriteData) | Create record appears
Edit file | 4663 (WriteData/AppendData) | Modify record appears
Delete file | 4660 correlated via HandleId | DeleteConfirmed record appears


0 comments
Ziad Zubidah
1 month, 1 week ago