Skip to main content

How to configure file integrity monitoring on Windows

Understand how to configure Windows to log file integrity-related events and ship these to our SIEM platform.

Daniel Sampson avatar
Written by Daniel Sampson
Updated this week

File Integrity Monitoring (FIM) detects unauthorised changes to sensitive files on Windows systems by logging creations, modifications, and deletions. These real-time events can be forwarded to our SIEM platform for centralised alerting and investigation, providing early warning of malware, insider threats, or privilege abuse.

A powerful application for this is Honeyfiles. Decoy documents that are placed in sensitive locations that legitimate users never access. Therefore, any activity related to the file instantly signals reconnaissance, lateral movement, or exfiltration.

This guide shows you how to enable native Windows FIM using local audit policies and Group Policy (GPO).

Before you get started

This guide assumes that you're already shipping Windows logs to our SIEM platform from the hosts you wish to enable FIM for. If this isn't the case, please start by completing the steps outlined in the following guide.

How to install Winlogbeat on Windows

Configuring FIM on a single Windows host

Enabling file auditing in Windows

  1. Open Local Security Policy by pressing Windows key + R on your keyboard

  2. Next, type secpol.msc and hit Enter

  3. Expand Advanced Audit Policy Configuration > System Audit Policies – Local Group Policy Object

  4. Next, select Object Access

  5. Then, double-click Audit File System from the right-hand pane and select the following options

    1. Configure the following audit events

      1. Success

      2. Failure

  6. Once done, click Apply, then OK

  7. Finally, to make the policy changes active, reboot the machine or open Command Prompt as an Administrator and run gpupdate /force

Configuring the file(s)/folder(s) you'd like audited

Avoid auditing large volumes of files or folders. This will generate significant volumes of logs and will impact the host's performance.

  1. Navigate to the folder or file you want to monitor and right-click

  2. Select Properties and navigate to the Security tab

  3. Next, click the Advanced button and select the Auditing tab

  4. Click Add and in the Auditing Entry window, click Select a principal

  5. In the box, type Everyone and then click Check Names, which should cause 'Everyone' to be underlined

  6. Now select OK

  7. Next, set Type is set to All

  8. Under Basic permissions, tick Full control

  9. Now select OK

  10. Finally, back in the Advanced window, click Apply, then OK and close the remaining property windows by clicking OK

Verifying auditing is enabled and logs are flowing to the SIEM platform

  1. Log in to your my.defense.com account

  2. Navigate to SIEM > Log Search and enter the following into the Search Query field Type:winlogbeat AND event.code:4663 AND ObjectName:*ADD HERE*. Replace "ADD HERE" with the name of the folder or file that auditing was applied to.

  3. If results are returned from the search, logs are flowing as expected.

And that’s it! You’ve successfully configured file integrity monitoring on Windows. 🎉

Configuring FIM using GPO

Creating a Group Policy Object

  1. Log in to a domain controller

  2. Press the Windows key, type: gpmc.msc and hit Enter

  3. Click Create a GPO in this domain

  4. Name it something clear, for example: File Auditing – Enable 4663 Logging

  5. Right-click the new GPO and select Edit

  6. In the GPO editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access

  7. Then, double-click Audit File System from the right-hand pane and select the following options

    1. Configure the following audit events

      1. Success

      2. Failure

  8. Once done, click Apply, then OK

  9. Next, you need to ensure Windows uses Advanced Audit Policies; otherwise, Windows might ignore your settings. To do this, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  10. Now find and enable Audit: Force audit policy subcategory settings to override audit policy category settings. This ensures your GPO audit settings override any local settings

Deploying the System Access Control List (SACL) using GPO

A GPO cannot directly edit the SACL of a specific file, but you can deploy a prebuilt SACL using the File System GPO setting. This tells Windows to apply these auditing settings to this exact folder on every machine.

  • The folder must already exist on the target machines

  • You can’t directly audit a single file, but you can audit the folder containing it

  • If the folder doesn’t exist, GPO won’t create it, you must deploy the folder using a script or GPO preference first

  1. In the same GPO, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System

  2. Now, right-click File System and select Add File

  3. Browse to the exact folder path you want to monitor. After selecting the folder, click OK

  4. Next, head to the Auditing tab and click Add

  5. You'll then need to configure the following settings

  6. Choose Principal: Everyone (or your chosen group)

  7. Type: All

  8. Applies to: This folder, subfolders, and files

  9. In the permissions list, tick Full Control

  10. Then, finally, click OK

Verifying auditing is enabled and logs are flowing to the SIEM platform

  1. Using a host connected to the domain, open Command Prompt and run: gpupdate /force (a reboot may be required).

  2. Navigate to the folder that's being audited and create/edit/delete files within the folder

  3. Next, log in to your my.defense.com account

  4. Navigate to SIEM > Log Search and enter the following into the Search Query field Type:winlogbeat AND event.code:4663 AND ObjectName:*ADD HERE*. Replace "ADD HERE" with the name of the folder or file that auditing was applied to.

  5. If results are returned from the search, logs are flowing as expected.

And that’s it! You’ve successfully configured file integrity monitoring using GPO.🎉

Did this answer your question?