Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

L4 Transporter

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL. 
Please see a few examples below:


1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
 
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below). 
 
You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!
 

 

mavraham_0-1668532826398.png

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

View solution in original post

Who rated this post