Implementing File Integrity Monitoring (FIM) with Splunk
Introduction
Using File Integrity Monitoring (FIM) to protect the filesystem was the primary focus of day eight. To identify illegal modifications to essential files and folders and gain insight into any tampering or criminal activities, I integrated Splunk's FIM capabilities. The significance of ongoing monitoring in maintaining system integrity and enhancing forensic preparedness was brought home by this exercise.
Objective
Establishing a fundamental control for identifying unauthorized changes involves configuring Splunk to monitor essential files and folders for changes.
What is File Integrity Monitoring (FIM)?
File Integrity Monitoring (FIM) is a security process that tracks and analyzes changes to critical files and directories to ensure their integrity. It detects unauthorized modifications, additions, or deletions, helping organizations identify potential security breaches or system compromises.
FIM is the security process that monitors and alerts on changes to files and directories on critical systems.
Why is it Critical?
To Detect Malware: Ransomware encrypting files? A virus replacing a system DLL? FIM sees it.
To Identify Breaches: Attackers often leave backdoors or modify configuration files to maintain access.
To Meet Compliance: Standards like PCI DSS, SOX, and HIPAA require FIM on critical assets.
It's like a security camera that records everyone who enters and exits a secure room, as well as what they touch.
Accessing the Configuration
Telling Splunk What to Watch
You can log in to your Splunk Enterprise instance.
Navigate to Settings > Data inputs.
Click on Files and Directories.
This is where you define what to monitor. You can configure this on the Splunk server itself or, more powerfully, on a specific Universal Forwarder.
Configuring a Monitor
Select the forwarder
Monitoring files
The file path I am monitoring is here
Configuring a Monitor: Setting the Watch on a Critical File
Click on New > Add new next to "Files & Directories".
Specify the Path to Monitor: C:\Users\Administrator\Desktop\important_file.txt
Set the Sourcetype. It's best practice to set this to a specific value, such as fim: monitor, for easy searching later.
Select the Host. Choose the host where the Universal Forwarder is installed that has access to this file.
Click Review > Submit.
Generating and Seeing the Data
Testing Your Digital Tripwire
How to Test: Modify the file you are monitoring!
Could you open the file in Notepad?
Add a new line of text or change a single character.
Could you save the file?
Search for file source
Since I have set it up to monitor every file on the desktop, the event log will capture all files in this directory.
Here, on the search prompt, I want to be specific about a particular file called testfile in the desktop directory.
File modification event alert
The Search to See the Change:
sourcetype="fim: monitor" host="YOUR_HOSTNAME"
Here are the events that appear showing that Splunk detected the change.
** Searching FIM Data**
Finding the Needle in the Haystack
Basic Search: Find all modifications to a specific path.
sourcetype="fim:monitor" action="modify" path="*\Desktop\*"
Advanced Search: Look for suspicious activity, like changes to system directories by a non-system user.
sourcetype="fim:monitor" (path="\Windows\*" OR path="\Program Files\*")
(user!="SYSTEM" AND user!="LOCAL SERVICE")
| stats count by path, action, user
From Monitoring to Alerting
Automating the Response
How to Create a FIM Alert:
Save one of your FIM searches (e.g., the "Advanced Search" from the previous slide).
Click Save As > Alert.
Schedule: Run every minute or in real-time.
Trigger: Alert when the number of results is greater than 0.
Action: Send an email to the security team stating: "Critical file modification detected on $host$ by $user$".
Day 8 Reflection: Proactive Defense
Goal Achieved:
Successfully configured Splunk to monitor file changes and tested the detection.
FIM moves you from a reactive security posture (investigating after an incident) to a more proactive one (being alerted as a change happens). Today, I was able to monitor a simple file on a desktop, which illustrates the same principle that applies to the most critical systems in an enterprise.
.
Top comments (0)