Monitoring File Changes with Falcon FileVantage
Due to compliance regulations, many organizations have a need to monitor key assets for changes made to certain files, folders or registry settings. File Integrity Monitoring (FIM) can be a daunting deployment that requires yet another solution in the security stack. As a cloud delivered platform, CrowdStrike leverages a single light-weight agent to address a number of security challenges including FIM.
CrowdStrike’s FileVantage module helps organizations meet compliance requirements by comprehensively monitoring file, folder, and registry modifications while also simplifying the security stack. Through the easy to use Falcon interface, FileVantage provides visibility to changes on critical assets that are also prioritized based on the configured severity level. Intuitive dashboards like this help organizations quickly identify and address issues based on severity, category and change type.
Custom Policies and Assignment
The dashboard is populated based on flexible policies and rules. The rule groups themselves are defined in two categories with one focused on files and directories, while the other looks at registry changes.
Within a given rule group, rules can be added, edited, sorted and deleted.
Rules can be created to monitor specific changes along with customization options to prioritize events and reduce alert fatigue. As an example, this rule monitors for any type of change to the Demo directory and identifies those as low severity. However, it excludes any changes to log files. The checkbox options can be used to tune the rule to specific directory and file actions.
Once the rule groups are set up, they can be added to a policy. Those policies are then assigned to designated host groups. With granular, group based assignment, organizations can ensure that the correct file integrity policies are in place for different servers and workloads based on their critical nature and function.
Once the policies are defined and applied to host groups, any associated changes will be reported via the same, consolidated Falcon UI. Drilling down on the dashboard provides the supporting details which are also available from the menu under “Changes”. This list of file changes can be filtered using the options at the top.
By changing the filters to focus on changes to a specific host and user, the list reveals events related to the custom rule shown above for the demo directory. For each change, there are details including hostname, object and path.
Organizations can also leverage Falcon Fusion workflows to set up automated responses to these events. Those responses can include containment, enrichment, and Real Time Response actions as well as notifications like webhooks, ServiceNow incidents and messages via email, Teams or slack. Workflows can be configured as automatic or manual as shown below.
Falcon FileVantage is a robust file integrity monitoring solution that offers the streamlined, central visibility that organizations need to satisfy compliance requirements. Security Operations teams can not only identify and prioritize any changes to critical files folders and registries, but they can also leverage automated responses and notifications based on the nature of those changes.