TABLE OF CONTENTS

• Overview
• Update Audit Permissions - Windows Only
• FIM Configuration
• Verification
• Troubleshooting

Overview

The steps below will help you integrate your File Integrity Monitoring (FIM) feature with ADR SIEM so that you can have comprehensive visibility and proactive threat detection in your environment. These steps will create log forwarding between your firewall to the Analytics and Policy Engine (APE) via the Collection and Control Engine (CCE).

The FIM feature monitors and detects file changes that could be indicative of a cyberattack. This is known as change monitoring. This article will help you assign file audit permissions to a given folder/sub-folder or drive, enabling Windows and EDR to monitor and raise file access events.

Note: To configure the File Integrity Monitoring (FIM) feature, you need to have the EDR license enabled. To configure the FIM, the EDR agent must be installed on the host.

Update Audit Permissions - Windows Only

For Windows endpoints, we need to make some audit changes on endpoint paths which needs to be monitored. Please follow the instructions below to assign file audit permissions.

1. Navigate to the directory path of the child folder that you want to monitor.
2. Right-click the folder and select Properties.
   
3. Go to the Security tab. Select Advanced.
   
4. Click on the Auditing tab and click Add.
   
5. Click 'Select a principal' to define which principal to audit actions for. In this example, we will configure it for Everyone. Other principals include:
   • Specific Users
   • Groups
   • Special identity groups (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups)
     
6. In the 'Enter the object name to select' box, type "Everyone".
   1. Click Check Names. If typed correctly, "Everyone" will be underlined.
   2. Click OK to confirm.
7. After selecting the principal, click on 'Show Advanced Permissions'. Select 'Full control' to select all entries.
8. After applying all permissions, click OK.
   
9. Apply and save the changes.
   

FIM Configuration

Note: For Linux and Mac, you will need root permission. You will not need to do any changes on the endpoints, but you will need at least 30 minutes to configure the FIM, after installation of endpoints.

1. Log in to the ADR user interface and go to the tenant level.
2. Go to Administration > Add-On Store.
   
3. Enter "FIM Configuration" in the search box and install it.
4. Navigate to the FIM Configuration screen under the Provisioning Tab.
   
5. Click on the Add button to configure the path for which you assigned the permissions in the above steps. Fill in the necessary details and save the settings.
   1. Configuration Name: Add a configuration name to identify the host being monitored.
   2. Description: Add a description for the endpoint being monitored.
   3. Platform: Select the operating system platform of the host machine (Windows, Linux, or MacOS).
   4. Host Name: Add the host name of the machine being monitored. On the machine, the EDR agent must be running. You can get the host name of machine by running command hostname on the console of the machine.
   5. Monitor Actions: Select which actions you would like to monitor:
      • Create (Creating any file/directory in the configured path).
      • Modify (Modifying any file/directory in the configured path).
      • Delete (Deleting any file/directory in the configured path).
   6. Location/Path: Add the path that is to be monitored on any specific hosts.
6. Select Save.
   

After saving, you should start receiving events for the configured monitor actions on these paths.

Verification

To verify FIM logs in Deep Tracker UI, follow these steps:

1. Log in to the UI portal. Click on the Threat Hunting tab and select Deep Tracker.
2. Choose the time range for which you want to view the FIM logs.
3. Navigate to the Sources data type and select EDR.
4. Select event type name equal to File Audit Trail or search "File Audit Trail" in Lucene Query.
5. Click on the Submit button to view all host logs visible on the UI.
   

Troubleshooting

For debugging purposes, if win_fim_events are not generated, follow these steps:

1. Check for Windows event with ID 4663 from the event viewer.
2. Check the settings below using PowerShell. If events are not showing in the event viewer, update permissions to allow file system auditing. Note: This setting is already part of the installer.
   Auditpol /get /category:"Object Access" /subcategory:"File System","File Share"
3. To enable auditing, use the following command:
   Auditpol /set /category:"Object Access" /subcategory:"File System","File Share" /success:enable

This should help you enable auditing for the file system and generate win_fim_events.

If events are still not generated, follow these steps.

1. Open the event viewer from search.
2. Navigate to Windows logs > Security.
3. Click on Filter Current Log from the right side.
4. Under "all event id", enter 4663 and click OK.
   
5. Click on details from the middle portion of screen.