Monitoring Splunk

File Integrity Monitoring using Splunk

koshyk
Super Champion

As Splunk is being recognized as strategic tool , more and more requests are coming if Splunk can be used for one thing or another..
So this time, the query was "Can Splunk be used-as/replace File Integrity Monitoring(FIM) tool".

So the idea is, since Splunk UF is installed in majority of hosts/clients, rather than indexing the whole file, UF needs to send information if the file has modified or NOT (like if the cksum got modified). Personally, I was thinking to write it as an "APP" which should cater for Windows/Linux etc. But was checking if you guys have done anything similar to replace Professional FIM tools?

0 Karma

matthewssa
Path Finder

For Linux I used AIDE and ingested those reports with Splunk to monitor file integrity on systems.

DBattisto
Communicator

Hey Matthew, would you be willing to share a few more details about how you manage this? I'm researching ways to take /var/log/aide/aide.log and use that to create a dashboard of new files from directories we care about. Did you have to set up custom props.conf or was it fairly straight forward? Do you do this manually or does hvyfwd/rsyslog take care of the forwarding for you?

0 Karma

koshyk
Super Champion

voted up. anything for windows in similar fashion?

0 Karma

matthewssa
Path Finder

I haven't actually built a solution for the Windows side, but Tripwire might be something you may want to look into. The upside to this is it is also available for Linux so this might be useful if you want to only use one solution instead of using both Tripwire and AIDE. I used AIDE for Linux only because it came pre-installed on our systems.

0 Karma

DavidHourani
Super Champion

Great idea @koshyk, only problem is that integrity is not a at one of Splunk's strong points though because by design and even when leveraging data integrity control data can still be tempered with and Splunk will not detect it. https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Dataintegritycontrol

So I would say yes it is a smart way to easy leverage UFs and collect checksums but will the stored checksums on Splunk be reliable ? That's the real question ^^

Either way go for it, i'm sure tons of people would love to use such an application

0 Karma

koshyk
Super Champion

Thanks mate for your support. I was just checking if anyone have done it already to reduce my pain 🙂

0 Karma

starcher
SplunkTrust
SplunkTrust

I agree with David. Splunk is not an endpoint tool. You should use EDR tools that perform that function. And that kind of data tends to be massive and hard to search and correlate at any kind of scale even if you get raw hash values on a schedule using tools like OS query. So invest in endpoint tools that can monitor and alert just on the change.

0 Karma

koshyk
Super Champion

I can see pros and cons to your argument. Introducing an endpoint tool and deploying across the estate when Splunk UF is already installed, is hard to digest. IMO, end of the day everything is data as it is just getting data into Splunk and checking if it changed from previous iteration.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...