Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

File Integrity Monitoring FIM using Auditbeat module

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

File Integrity Monitoring FIM using Auditbeat module

L1 Bithead

Hello,

 

Looking to set up FIM using the Cortex XDR agent and from what I have found so far, it seems unsupported. Has anyone set up FIM using any method?

 

The only possible option I have found so far is maybe using an auditbeat with the FIM module:

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html#_how_it...

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL. 
Please see a few examples below:


1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
 
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below). 
 
You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!
 

 

mavraham_0-1668532826398.png

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

View solution in original post

7 REPLIES 7

L1 Bithead

Looking into this further. BIOC rules seem to be what I'm looking for, but I am not certain how to set my specific file paths I want to be monitored. 

When I test creating my own BIOC rule, I cannot find the files I am looking for in the provided list

L4 Transporter

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL. 
Please see a few examples below:


1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
 
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below). 
 
You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!
 

 

mavraham_0-1668532826398.png

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

Thank you, this helped a lot!

I finally got around to working on this, and... still need to configure some more, but it works.

dataset = xdr_data |filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter action_file_path in ("C:\Program Files (x86)\*","C:\Program Files\*","C:\ProgramData\*") and action_file_name contains ".exe"
|fields agent_hostname, agent_ip_addresses , action_file_name, action_file_path, action_file_type

 

Hi Optimizer,

I'm looking for a solution to meet the 11.5 (FIM) requirement of PCI. Did Cortex XDR BIOC meet your FIM requirements?

L1 Bithead

Dear all,

 

I'm looking for FIM on Linux (etc/shadow), for the examples are the difference (object before and after) and then the process name like "/usr/sbin/sshd" or "/usr/sbin/userdel". How to show it on XQL Query? Thanks

Any solution of that? Thankyou

  • 1 accepted solution
  • 7291 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!