Using sysmon to monitor a folder activity by a specific user

steviefaux 181 Reputation points
2022-04-21T13:05:36.357+00:00

I find the sysmon config files confusing and not enough clear info on creating them. So having issues finding out if this is possible or not.

I'd like to ignore most logs sysmon can do and just use it to monitor one specific folder and one specific AD user that accesses said folder.

Is this possible and what would the config file look like if so?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,127 questions
0 comments No comments
{count} votes

Accepted answer
  1. dstaulcu 351 Reputation points
    2022-04-22T00:01:57.91+00:00

    I'd recommend reviewing the sysmon community guide to orient yourself on what sysmon can log and how to administer it.

    Sysmon does not log folder accesses where a user simply reads files in a folder. It does have logging capabilities for file create and file delete operations.

    I happen to do a lot of testing of sysmon and use this script to create sysmon configuration templates which collect nothing by default.

    Once you have a configuration file with output of script from above then you would want to edit it and add include oriented rules among FileDeleteDetected and FileCreate event type rule groups.

    <RuleGroup name="FileDeleteDetected_RG_001" groupRelation="or">  
    	<FileDeleteDetected onmatch="include">  
    		<Rule groupRelation="and" name="">  
    			<User condition="contains any">steviefaux;dstaulcu</User>  
    			<TargetFilename condition="contains any">c:\sensitive_dir_1;c:\sensitive_dir_2</TargetFilename>				  
    		</Rule>			  
    	</FileDeleteDetected>			  
    </RuleGroup>  
      
    <RuleGroup name="FileCreate_RG_001" groupRelation="or">  
    	<FileCreate onmatch="include">  
    		<Rule groupRelation="and" name="">  
    			<User condition="contains any">steviefaux;dstaulcu</User>  
    			<TargetFilename condition="contains any">c:\sensitive_dir_1;c:\sensitive_dir_2</TargetFilename>				  
    		</Rule>			  
    	</FileCreate>  
    </RuleGroup>  
    

    I tried to attach a full xml file but the file upload failed for some reason. Here is the resultant config:

    195361-screenshot-2022-04-21-201606.jpg

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. steviefaux 181 Reputation points
    2022-04-23T14:04:15.217+00:00

    Thanks. I'll give it a look on Monday.

    0 comments No comments

  2. steviefaux 181 Reputation points
    2022-05-07T09:22:26.957+00:00

    Thanks. Appears to work and give me an idea to what to use. Although it doesn't appear to be picking up the file deletes when I do it in my testing but that could be me doing something wrong. At least got an idea of how to craft the config file for it.

    Thanks.

    0 comments No comments