Hi @Optimizer , thanks for writing to Live Community.
You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL.
Please see a few examples below:
1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:
dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below).
You should of course make changes to the file paths based on the files you are looking to monitor.
Let me know if the provided examples helped you in your case!
Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events:
Cortex XDR Customer Corner