This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

File Integrity Monitoring FIM using Auditbeat module

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

File Integrity Monitoring FIM using Auditbeat module

Go to solution
Optimizer
L1 Bithead

‎11-15-2022 07:03 AM

Hello,

 

Looking to set up FIM using the Cortex XDR agent and from what I have found so far, it seems unsupported. Has anyone set up FIM using any method?

 

The only possible option I have found so far is maybe using an auditbeat with the FIM module:

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html#_how_it...

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
mavraham
L4 Transporter

‎11-15-2022 09:26 AM - edited ‎11-15-2022 09:28 AM

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL. 
Please see a few examples below:


1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
 
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below). 
 
You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!
 

 

mavraham_0-1668532826398.png

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

View solution in original post

(1)
9 REPLIES 9

Go to solution
Optimizer
L1 Bithead

‎11-15-2022 08:34 AM

Looking into this further. BIOC rules seem to be what I'm looking for, but I am not certain how to set my specific file paths I want to be monitored. 

When I test creating my own BIOC rule, I cannot find the files I am looking for in the provided list

0 Likes Likes

Go to solution
mavraham
L4 Transporter

‎11-15-2022 09:26 AM - edited ‎11-15-2022 09:28 AM

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL. 
Please see a few examples below:


1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
 
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below). 
 
You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!
 

 

mavraham_0-1668532826398.png

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

(1)

Go to solution
Optimizer
L1 Bithead
In response to mavraham

‎11-15-2022 10:09 AM

Thank you, this helped a lot!

0 Likes Likes

Go to solution
PC-TomS
L3 Networker
In response to Optimizer

‎07-26-2023 08:46 AM

I finally got around to working on this, and... still need to configure some more, but it works.

dataset = xdr_data |filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter action_file_path in ("C:\Program Files (x86)\*","C:\Program Files\*","C:\ProgramData\*") and action_file_name contains ".exe"
|fields agent_hostname, agent_ip_addresses , action_file_name, action_file_path, action_file_type

 

Go to solution
danlav
L1 Bithead
In response to Optimizer

‎11-15-2023 04:09 PM

Hi Optimizer,

I'm looking for a solution to meet the 11.5 (FIM) requirement of PCI. Did Cortex XDR BIOC meet your FIM requirements?

0 Likes Likes

Go to solution
T.Andriawan
L1 Bithead

‎03-19-2024 11:42 PM

Dear all,

 

I'm looking for FIM on Linux (etc/shadow), for the examples are the difference (object before and after) and then the process name like "/usr/sbin/sshd" or "/usr/sbin/userdel". How to show it on XQL Query? Thanks

0 Likes Likes

Go to solution
T.Andriawan
L1 Bithead
In response to T.Andriawan

‎03-20-2024 01:24 AM

Any solution of that? Thankyou

0 Likes Likes

Go to solution
p.Dugan005079
L1 Bithead

‎02-13-2025 01:58 PM - edited ‎02-13-2025 01:59 PM

The XDR agent doesn't have full FIM coverage. It doesn't calculate the hash after every change, certain paths aren't monitored, and if the host is too active then that can cause file events to not be reported to the tenant's backend database.
You can monitor for processes touching certain directories and can set BIOCs or correlation rules to trigger on file events on certain directories, but it's not 100% coverage. If you have a scrupulous auditor, or an application team that tracks every change made during a change window on a host, there's a good chance it'll end up being a finding on your auditor's report.

If you want full FIM monitoring on linux and use XDR Pro per GB/TB, look into using AuditBeats, specify the directories to monitor, and send that data in via HTTP Collectors. Prisma Cloud's Defender may provide better FIM coverage but I haven't personally tested.

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html
https://docs.prismacloud.io/en/compute-edition/31/admin-guide/install/deploy-defender/app-embedded/c...

Osquery & Fleet are other viable option for FIM as well. 
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
https://fleetdm.com/ 

0 Likes Likes

Go to solution
p.Dugan005079
L1 Bithead
In response to T.Andriawan

‎02-13-2025 02:10 PM

Isn't possible with XQL directly, as it doesn't read the file contents.

0 Likes Likes
  • 1 accepted solution
  • 8846 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks