Some time ago, I had the opportunity to configure File Integrity Monitoring (FIM) on the CrowdStrike platform. The setup was relatively straightforward, except for one aspect – email alerts. When configuring notifications for file changes, I found two native options within the platform:
- Configure a Workflow: This option sends notifications whenever FileVantage detects an event. However, this could result in hundreds of emails for a single incident, overwhelming my inbox and making it impractical.
- Schedule a Report: This method provides information about changes, but the dashboard only allows reports to be delivered on a daily basis, which didn’t meet my needs.
Determined to find a better solution, I conducted some research and discovered an approach that worked for me. I’d like to share this “outside-the-box” solution with other professionals facing similar challenges. I will shows in steps the way how I’ve was thinking. I will outline the steps that demonstrate my thought process.
Step 1: Find the Correct Event Sample Name
I started by creating a query to search the FileVantage logs and display them in the required format. I quickly identified the correct event_simpleName
by searching for any file name that was logged in the FIM.
#event_simpleName=FileIntegrityMonitorRuleMatched
Step 2: Retrieve the Required Data
After running this query in the Advanced Event Search, I was able to check a single event log for the required fields. Unfortunately, some of these fields (ObjectAccessOperationType, ObjectType, PolicyRuleSeverity
) were displayed in decimal format, which is not very user-friendly.
To resolve this, I found a feature called “Falcon Helper,” which simply translates these numbers into text. I added the following lines to my query:
| $falcon/helper:enrich(field=ObjectAccessOperationType)
| $falcon/helper:enrich(field=ObjectType)
| $falcon/helper:enrich(field=PolicyRuleSeverity)
Step 3: Convert the Time Format
CrowdStrike logs timestamps in Unix epoch format, which can be challenging to interpret. While the @timestamp
column displays correctly in the interface, exporting results to a .csv
file reverts the timestamp to epoch format.
To address this, I used the following command to convert the timestamp to a human-readable date and time:
| 1.TimeStamp := formatTime("%H:%M:%S %d-%m-%Y", field=timestamp, locale=en_IE, timezone="Europe/Dublin")
Step 4: Ensure Correct Column Order
When running a query in CrowdStrike’s Advanced Event Search, the columns are ordered as specified in the select
or table
command. However, in a scheduled query, the exported .csv
file lists columns alphabetically.
To fix this, I renamed the columns by adding numbers and letters at the beginning to ensure they appear in the correct order:
| rename([[ComputerName, 2.ComputerName], [UserName, 3.UserName], [ObjectName, 4.ObjectName], [ObjectAccessOperationType, 5.OperationType], [ObjectType, 6.ObjectType], [FileName, 7.FileName], [CommandLine, 8.CommandLine], [UserSid, 9.UserSid], [PolicyRuleSeverity, A.Severity], [PolicyID, B.PolicyID], [PolicyRuleID, C.PolicyRuleID]])
Step 5: Display the Final Query Results
I used the select
command to display the table in the correct order:
| select([1.TimeStamp, 2.ComputerName, 3.UserName, 4.ObjectName, 5.OperationType, 6.bjectType, 7.FileName, 8.CommandLine, 9.UserSid, A.Severity, B.PolicyID, C.PolicyRuleID])
Complete Query
The complete query should look like this:
#event_simpleName=FileIntegrityMonitorRuleMatched
| $falcon/helper:enrich(field=ObjectAccessOperationType)
| $falcon/helper:enrich(field=ObjectType)
| $falcon/helper:enrich(field=PolicyRuleSeverity)
| 1.TimeStamp := formatTime("%H:%M:%S %d-%m-%Y", field=timestamp, locale=en_IE, timezone="Europe/Dublin")
| rename([[ComputerName, 2.ComputerName], [UserName, 3.UserName], [ObjectName, 4.ObjectName], [ObjectAccessOperationType, 5.OperationType], [ObjectType, 6.ObjectType], [FileName, 7.FileName], [CommandLine, 8.CommandLine], [UserSid, 9.UserSid], [PolicyRuleSeverity, A.Severity], [PolicyID, B.PolicyID], [PolicyRuleID, C.PolicyRuleID]])
| select([1.TimeStamp, 2.ComputerName, 3.UserName, 4.ObjectName, 5.OperationType, 6.bjectType, 7.FileName, 8.CommandLine, 9.UserSid, A.Severity, B.PolicyID, C.PolicyRuleID])
Step 6: Configure the Alert Email Delivery
An finally, I followed these steps to configure the scheduled query and email alert:
- Navigate to Next-Gen SIEM -> Advanced Event Search.
- Paste the Query: Paste the query into the search window and run it to ensure you can see the required data. Don’t forget to select a time interval that actually contains logs; otherwise, nothing will be displayed.
- Schedule the Search: Select “Schedule Search” (this option may be greyed out until you run the query).
- Select Falcon: In the first window, choose the Falcon option and click “Next.”
- Name the Query: In the next window, enter a name (e.g., “File Integrity Monitoring Alert”). The query should already be in the desired field, and the
.csv
option should be selected by default. Click “Next.”
- Schedule the Query: In the following window, schedule the query. I chose to run it every 15 minutes, but you can select 10 or even 5 minutes if needed. I also set it to search logs from the last 20 minutes to ensure none are missed. This might cause the same log to appear in two alerts, but I found this acceptable. Click “Next” when finished.
Now, the query should run every 15 minutes and send an email only if it finds a FileVantage event.
By following these steps, you can effectively manage email alerts for file integrity monitoring in CrowdStrike, ensuring you stay informed without overwhelming your inbox.
Feel free to leave any comment!