Cortex XDR File Integrity Monitoring for PCI-DSS

Some time ago, I was assigned the task of implementing a File Integrity Monitoring (FIM) solution for PCI-DSS compliance. At that time, I was managing Cortex XDR as the company’s Endpoint Protection, but it did not include a dedicated FIM module. Although purchasing a new program would have been the simplest solution, I wanted to avoid unnecessary costs and the additional maintenance required for another agent on our servers.

During my research, I found a whitepaper titled Palo Alto Networks Cortex XDR and PCI Compliance, which states:

This whitepaper confirmed that FIM could be achieved using our existing Endpoint Protection. However, I faced two challenges:

  1. Creating BIOC rules.
  2. Determining what to monitor for changes.

The first issue was relatively straightforward. I appreciate the intuitive interface of Palo Alto Cortex XDR, which makes everything easy to find. The XQL language is simple to learn, and the reliability of the endpoint agents and dashboard is excellent.

The second issue was more complex. Unlike dedicated FIM solutions that come with templates, I had to find a source for the necessary information. Eventually, I found guidance in the article File Integrity Monitoring in Microsoft Defender for Cloud.

I adapted these instructions to create BIOC rules and now want to share my experience with others facing similar challenges. Here’s a detailed guide on using Cortex XDR BIOC rules for PCI-DSS File Integrity Monitoring.

Monitoring Important Logs BIOC Rule

Many FIM implementation guides recommend not monitoring log changes due to the noise they create. However, PCI-DSS 4.0 standard 10.3.4 requires it so I created the following BIOC rule that, after creating correct exclusions, alerts only when someone manually modifies logs, which I found effective.

  1. Navigate to Detection Rules -> BIOC
  2. Select Add BIOC option
  1. Select File
  1. On the BIOC-number page
  • Select create, rename, delete and write options
  • In the PATH field add following (adjust for your environment)
*:\Windows\System32\winevt\Logs*|*:\Windows\System32\dns\*|*\Windows\System32\dhcp\*|*:\inetpub\logs\LogFiles\*|*:\Microsoft SQL Server\MSSQL*\MSSQL\Log\*
  • In the HOST NAME field add the servers you want to monitor, e.g.:
SERVER1|SERVER2|SERVER3
  1. You may use the Test button to check the rule, but be cautious if you have an “Automation Rule” that triggers a computer scan after detection.
  2. Press Save.
  3. In the next window:
  • Name: Enter the rule name.
  • Type: Select an appropriate option; I chose “Tampering.”
  • Severity: You may start with low and increase it later, especially if you have a scanning “Automation Rule.”
  • OK

It should now be listed under BIOC Rules.

Exclusions

Some FIM rules generate a lot of noise initially, so exclusions might be needed. Ensure exclusions meet QSA requirements and conduct a documented risk assessment. You may set one rule at a time, monitor it, and then proceed to the next.

  1. Navigate to Settings -> Exceptions Configuration
  1. Select IOC/BIOC Suppression Rules
  1. Select Add Rule -> Create New
  1. On the General step, enter the Rule Name and press Next.
  1. In Rule Conditions, fill in the following fields:
  • Define the exception criteria— in this case, it is the User Name.
  • Tick BIOC.
  • Select Specific BIOC and add the name of the rule you created.
  • OK
  1. Press Next, review the Summary, and press Create.

Create as many exclusions as required. They should now be listed under IOC/BIOC Suppression Rules.

Monitoring Critical System Files BIOC Rule

  1. Navigate to Detection Rules -> BIOC.
  2. Select Add BIOC option.
  3. Select File.
  4. On the BIOC-number page:
  • Select create, rename, delete, write options.
  • In the PATH add following (adjust as needed):
*:\autoexec.bat|*:\boot.ini|*:\config.sys|*:\Windows\system.ini|*:\Windows\win.ini|*:\Windows\regedit.exe|*:\Windows\System32\userinit.exe|*:\Windows\explorer.exe|*:\Program Files\Microsoft Security Client\msseces.exe
  • In the HOST NAME field, add servers, e.g.,
SERVER1|SERVER2|SERVER3
  1. You may use the Test button to check the rule.
  2. Press Save
  3. Complete the rule creation by filling in Name, Type, and Severity fields.

Monitoring Company Applications BIOC Rule

  1. Navigate to Detection Rules -> BIOC.
  2. Select Add BIOC option.
  3. Select File.
  4. On the BIOC-number page:
  • Select create, rename, delete, write options.
  • In the PATH add applications folders, e.g.:
*:\CompanyWebApp\*
  • In the HOST NAME field, add servers, e.g.,
SERVER1|SERVER2|SERVER3
  1. You may use the Test button to check the rule.
  2. Press Save
  3. Complete the rule creation by filling in Name, Type, and Severity fields.

Monitoring Windows Registry BIOC Rule

  1. Navigate to Detection Rules -> BIOC.
  2. Select Add BIOC option.
  3. Select Registry.
  1. On the BIOC-number page:
  • Select All actions.
  • Add the registry keys you want to monitor in the KEY NAME filed. You may use following, which is based on the Microsoft article.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{C689AAB8-8E78-11D0-8C47-00C04FC295EE}|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{603BCC1F-4B59-4E08-B724-D2C6297EF351}|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\SYSTEM.ini\boot|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{C689AAB8-8E78-11D0-8C47-00C04FC295EE}|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{603BCC1F-4B59-4E08-B724-D2C6297EF351}|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices|HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • In the HOST NAME field, add servers, e.g.,
SERVER1|SERVER2|SERVER3
  1. You may use the Test button to check the rule.
  2. Press Save
  3. Complete the rule creation by filling in Name, Type, and Severity fields.

Four rules should now be listed.

After creating all rules, you will have a comprehensive monitoring system. It may take some time to set up all exclusions, but BIOC rules will notify you only if someone changes monitored files, folders, or registry keys.

I hope this guide is helpful to those facing similar challenges. Please leave any comments or questions below.

Share Us

Leave a Reply

Your email address will not be published. Required fields are marked *