 
					
				
		
As Splunk is being recognized as strategic tool , more and more requests are coming if Splunk can be used for one thing or another.. 
So this time, the query was "Can Splunk be used-as/replace File Integrity Monitoring(FIM) tool".
So the idea is, since Splunk UF is installed in majority of hosts/clients, rather than indexing the whole file, UF needs to send information if the file has modified or NOT (like if the cksum got modified). Personally, I was thinking to write it as an "APP" which should cater for Windows/Linux etc. But was checking if you guys have done anything similar to replace Professional FIM tools?
 
					
				
		
For Linux I used AIDE and ingested those reports with Splunk to monitor file integrity on systems.
Hey Matthew, would you be willing to share a few more details about how you manage this? I'm researching ways to take /var/log/aide/aide.log and use that to create a dashboard of new files from directories we care about. Did you have to set up custom props.conf or was it fairly straight forward? Do you do this manually or does hvyfwd/rsyslog take care of the forwarding for you?
 
					
				
		
voted up. anything for windows in similar fashion?
 
					
				
		
I haven't actually built a solution for the Windows side, but Tripwire might be something you may want to look into. The upside to this is it is also available for Linux so this might be useful if you want to only use one solution instead of using both Tripwire and AIDE. I used AIDE for Linux only because it came pre-installed on our systems.
 
					
				
		
Great idea @koshyk, only problem is that integrity is not a at one of Splunk's strong points though because by design and even when leveraging data integrity control data can still be tempered with and Splunk will not detect it. https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Dataintegritycontrol
So I would say yes it is a smart way to easy leverage UFs and collect checksums but will the stored checksums on Splunk be reliable ? That's the real question ^^
Either way go for it, i'm sure tons of people would love to use such an application
 
					
				
		
Thanks mate for your support. I was just checking if anyone have done it already to reduce my pain 🙂
 
					
				
		
I agree with David. Splunk is not an endpoint tool. You should use EDR tools that perform that function. And that kind of data tends to be massive and hard to search and correlate at any kind of scale even if you get raw hash values on a schedule using tools like OS query. So invest in endpoint tools that can monitor and alert just on the change.
 
					
				
		
I can see pros and cons to your argument. Introducing an endpoint tool and deploying across the estate when Splunk UF is already installed, is hard to digest. IMO, end of the day everything is data as it is just getting data into Splunk and checking if it changed from previous iteration.
