Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L3 Networker

Hi @Optimizer , thanks for writing to Live Community.

You are correct, the way to use File Integrity Monitoring with XDR is through BIOC rules, correlations and reports based on XQL. 
Please see a few examples below:

1. XQL Based Correlation Rule : Monitor /etc/, usr/local/share/, /usr/share/ for any conf file modifications:

dataset = xdr_data
|filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME )
|filter lowercase(action_file_path) in ("/etc/*","/usr/local/share/*","/usr/share/*") and action_file_extension in ("conf","txt")
| fields action_file_name , action_file_path , action_file_type , agent_ip_addresses , agent_hostname, action_file_path
2. BIOC rule to monitor Apache2 configuration file (please see attached screenshot below). 
You should of course make changes to the file paths based on the files you are looking to monitor.

Let me know if the provided examples helped you in your case!




View solution in original post

Who rated this post