Enabling File Integrity Monitoring on Windows with Osquery and EclecticIQ Endpoint Response

File Integrity Monitoring (FIM) is a security control that helps organizations ensure the integrity of their files and systems by monitoring changes to files and directories. FIM is an important security control needed for almost all kinds of compliance requirements, like PCI DSS, HIPAA, GDPR and ISO. The aim of FIM is to verify the integrity of application software files to determine if they have been tampered with or if a fraud has occurred by comparing them with a baseline. FIM solutions are also used to monitor activities on sensitive files (e.g. configuration as well as content files) and can trigger alerts based on rules around the access. FIM solutions use different methods, such as comparing file attributes (e.g., file size, timestamps, hashes) to detect changes, monitoring file access and modification events, or using machine learning to detect anomalous behaviour. Thereby, having a FIM solution is not only important from the standpoint of a compliance requirement, it also is an essential toolkit for security monitoring.

Figure 1: ChatGPT on FIM.

*This rule is only for demonstration purposes and can be very generic. Additional conditions should be added to get high-quality alerts.

Figure 3: Configuring a FIM rule in EclecticIQ Endpoint Response.

Once configured, the rule can be viewed in the “ER Rules” list.

Figure 4: Rule listing EclecticIQ Endpoint Response.

Once a rule is activated, every time the agent captures the matching behaviour, it will create an alert in the EclecticIQ Endpoint Response application. The EclecticIQ Endpoint Response application provides multiple options to triage the alerts, from monitoring raw alert to getting its full context and timeline of activities around it. The following figures provide the overview of EclecticIQ Endpoint Response capabilities to triage an alert.

Figure 5: Alert created by the FIM rule and timeline of activity on the endpoint.

Figure 6: Raw event on the file that matched the criteria.

Figure 7: Process tree graph of the process triggering the alert.

Given the extensive context around the FIM event that EclecticIQ Endpoint Response provides, it can pretty much serve any requirement of a FIM use case. But wait, it gets even better. Given that the entire EclecticIQ Endpoint Response agent leverages osquery’s SQL form factor for data collection, interesting set of live queries can be sent to the agent to connect, correlate and filter the data as to the needs of an analysts or an administrator tasked with FIM.

Figure 8: Example of leveraging osquery SQL to get event corelation.

The EclecticIQ Endpoint Response’s extension that collects the real-time file events on Windows and with native integration via osquery into file events on MacOS and Linux, makes EclecticIQ ER as a much more powerful application for getting cross-platform FIM with osquery.

About Endpoint Security Solution Assessment

About EclecticIQ Endpoint Response

About EclecticIQ Endpoint Response Community Edition

Related posts:

When it comes to managing waste and debris during home projects or cleanouts, a residential dumpster rental can be a game-changer. Whether you’re renovating your house, decluttering, or tackling a…

By adding small actions to our daily routine, we can program our brains to better tackle our goals. S.J. Scott calls this habit stacking, which goes something like this: We can create a sequence of…

Berlin is nothing if not a bundle of contradictions: The seat of the world’s most powerful export economy, it’s also an unabashed hub for outré hedonists. In recent years, however, these two…