How to Configure Email Alerts for CrowdStrike File Integrity Monitoring (FileVantage)

Some time ago, I had the opportunity to configure File Integrity Monitoring (FIM) on the CrowdStrike platform. The setup was relatively straightforward, except for one aspect – email alerts. When configuring notifications for file changes, I found two native options within the platform:

  1. Configure a Workflow: This option sends notifications whenever FileVantage detects an event. However, this could result in hundreds of emails for a single incident, overwhelming my inbox and making it impractical.
  2. Schedule a Report: This method provides information about changes, but the dashboard only allows reports to be delivered on a daily basis, which didn’t meet my needs.

Determined to find a better solution, I conducted some research and discovered an approach that worked for me. I’d like to share this “outside-the-box” solution with other professionals facing similar challenges. I will shows in steps the way how I’ve was thinking. I will outline the steps that demonstrate my thought process.

Step 1: Find the Correct Event Sample Name

I started by creating a query to search the FileVantage logs and display them in the required format. I quickly identified the correct event_simpleName by searching for any file name that was logged in the FIM.

#event_simpleName=FileIntegrityMonitorRuleMatched

Step 2: Retrieve the Required Data

After running this query in the Advanced Event Search, I was able to check a single event log for the required fields. Unfortunately, some of these fields (ObjectAccessOperationType, ObjectType, PolicyRuleSeverity) were displayed in decimal format, which is not very user-friendly.

To resolve this, I found a feature called “Falcon Helper,” which simply translates these numbers into text. I added the following lines to my query:

| $falcon/helper:enrich(field=ObjectAccessOperationType)
| $falcon/helper:enrich(field=ObjectType)
| $falcon/helper:enrich(field=PolicyRuleSeverity)

Step 3: Convert the Time Format

CrowdStrike logs timestamps in Unix epoch format, which can be challenging to interpret. While the @timestamp column displays correctly in the interface, exporting results to a .csv file reverts the timestamp to epoch format.

To address this, I used the following command to convert the timestamp to a human-readable date and time:

| 1.TimeStamp := formatTime("%H:%M:%S %d-%m-%Y", field=timestamp, locale=en_IE, timezone="Europe/Dublin")

Step 4: Ensure Correct Column Order

When running a query in CrowdStrike’s Advanced Event Search, the columns are ordered as specified in the select or table command. However, in a scheduled query, the exported .csv file lists columns alphabetically.

To fix this, I renamed the columns by adding numbers and letters at the beginning to ensure they appear in the correct order:

| rename([[ComputerName, 2.ComputerName], [UserName, 3.UserName], [ObjectName, 4.ObjectName], [ObjectAccessOperationType, 5.OperationType], [ObjectType, 6.ObjectType], [FileName, 7.FileName], [CommandLine, 8.CommandLine], [UserSid, 9.UserSid], [PolicyRuleSeverity, A.Severity], [PolicyID, B.PolicyID], [PolicyRuleID, C.PolicyRuleID]])

Step 5: Display the Final Query Results

I used the select command to display the table in the correct order:

| select([1.TimeStamp, 2.ComputerName, 3.UserName, 4.ObjectName, 5.OperationType, 6.bjectType, 7.FileName, 8.CommandLine, 9.UserSid, A.Severity, B.PolicyID, C.PolicyRuleID])

Complete Query

The complete query should look like this:

#event_simpleName=FileIntegrityMonitorRuleMatched
| $falcon/helper:enrich(field=ObjectAccessOperationType)
| $falcon/helper:enrich(field=ObjectType)
| $falcon/helper:enrich(field=PolicyRuleSeverity)
| 1.TimeStamp := formatTime("%H:%M:%S %d-%m-%Y", field=timestamp, locale=en_IE, timezone="Europe/Dublin")
| rename([[ComputerName, 2.ComputerName], [UserName, 3.UserName], [ObjectName, 4.ObjectName], [ObjectAccessOperationType, 5.OperationType], [ObjectType, 6.ObjectType], [FileName, 7.FileName], [CommandLine, 8.CommandLine], [UserSid, 9.UserSid], [PolicyRuleSeverity, A.Severity], [PolicyID, B.PolicyID], [PolicyRuleID, C.PolicyRuleID]])
| select([1.TimeStamp, 2.ComputerName, 3.UserName, 4.ObjectName, 5.OperationType, 6.bjectType, 7.FileName, 8.CommandLine, 9.UserSid, A.Severity, B.PolicyID, C.PolicyRuleID])

Step 6: Configure the Alert Email Delivery

An finally, I followed these steps to configure the scheduled query and email alert:

  1. Navigate to Next-Gen SIEM -> Advanced Event Search.
  1. Paste the Query: Paste the query into the search window and run it to ensure you can see the required data. Don’t forget to select a time interval that actually contains logs; otherwise, nothing will be displayed.
  1. Schedule the Search: Select “Schedule Search” (this option may be greyed out until you run the query).
  1. Select Falcon: In the first window, choose the Falcon option and click “Next.”
  1. Name the Query: In the next window, enter a name (e.g., “File Integrity Monitoring Alert”). The query should already be in the desired field, and the .csv option should be selected by default. Click “Next.”
  1. Schedule the Query: In the following window, schedule the query. I chose to run it every 15 minutes, but you can select 10 or even 5 minutes if needed. I also set it to search logs from the last 20 minutes to ensure none are missed. This might cause the same log to appear in two alerts, but I found this acceptable. Click “Next” when finished.

Now, the query should run every 15 minutes and send an email only if it finds a FileVantage event.

By following these steps, you can effectively manage email alerts for file integrity monitoring in CrowdStrike, ensuring you stay informed without overwhelming your inbox.

Feel free to leave any comment!

Share Us

Leave a Reply

Your email address will not be published. Required fields are marked *