topic Re: File Integrity Monitoring FIM using Auditbeat module in Cortex XDR Discussions

File Integrity Monitoring FIM using Auditbeat module

Optimizer — Tue, 15 Nov 2022 15:03:20 GMT

Hello,

Looking to set up FIM using the Cortex XDR agent and from what I have found so far, it seems unsupported. Has anyone set up FIM using any method?

The only possible option I have found so far is maybe using an auditbeat with the FIM module:

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html#_how_it_works_2

Re: File Integrity Monitoring FIM using Auditbeat module

Optimizer — Tue, 15 Nov 2022 16:34:44 GMT

Looking into this further. BIOC rules seem to be what I'm looking for, but I am not certain how to set my specific file paths I want to be monitored.

When I test creating my own BIOC rule, I cannot find the files I am looking for in the provided list

Re: File Integrity Monitoring FIM using Auditbeat module

mavraham — Tue, 15 Nov 2022 17:28:38 GMT

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL.
Please see a few examples below:

1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path

2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below).

You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!

Re: File Integrity Monitoring FIM using Auditbeat module

Optimizer — Tue, 15 Nov 2022 18:09:13 GMT

Thank you, this helped a lot!

Re: File Integrity Monitoring FIM using Auditbeat module

PC-TomS — Wed, 26 Jul 2023 15:46:05 GMT

I finally got around to working on this, and... still need to configure some more, but it works.

dataset = xdr_data |filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter action_file_path in ("C:\Program Files (x86)\*","C:\Program Files\*","C:\ProgramData\*") and action_file_name contains ".exe"
|fields agent_hostname, agent_ip_addresses , action_file_name, action_file_path, action_file_type

Re: File Integrity Monitoring FIM using Auditbeat module

danlav — Thu, 16 Nov 2023 00:09:50 GMT

Hi Optimizer,

I'm looking for a solution to meet the 11.5 (FIM) requirement of PCI. Did Cortex XDR BIOC meet your FIM requirements?

Re: File Integrity Monitoring FIM using Auditbeat module

T.Andriawan — Wed, 20 Mar 2024 06:42:59 GMT

Dear all,

I'm looking for FIM on Linux (etc/shadow), for the examples are the difference (object before and after) and then the process name like "/usr/sbin/sshd" or "/usr/sbin/userdel". How to show it on XQL Query? Thanks

Re: File Integrity Monitoring FIM using Auditbeat module

T.Andriawan — Wed, 20 Mar 2024 08:24:50 GMT

Any solution of that? Thankyou

Re: File Integrity Monitoring FIM using Auditbeat module

p.Dugan005079 — Thu, 13 Feb 2025 21:59:54 GMT

The XDR agent doesn't have full FIM coverage. It doesn't calculate the hash after every change, certain paths aren't monitored, and if the host is too active then that can cause file events to not be reported to the tenant's backend database.
You can monitor for processes touching certain directories and can set BIOCs or correlation rules to trigger on file events on certain directories, but it's not 100% coverage. If you have a scrupulous auditor, or an application team that tracks every change made during a change window on a host, there's a good chance it'll end up being a finding on your auditor's report.

If you want full FIM monitoring on linux and use XDR Pro per GB/TB, look into using AuditBeats, specify the directories to monitor, and send that data in via HTTP Collectors. Prisma Cloud's Defender may provide better FIM coverage but I haven't personally tested.

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html
https://docs.prismacloud.io/en/compute-edition/31/admin-guide/install/deploy-defender/app-embedded/config-app-embedded-fs-mon

Osquery & Fleet are other viable option for FIM as well.
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
https://fleetdm.com/

Re: File Integrity Monitoring FIM using Auditbeat module

p.Dugan005079 — Thu, 13 Feb 2025 22:10:07 GMT

Isn't possible with XQL directly, as it doesn't read the file contents.