Ali Rodoplu

CrowdStrike’s FileVantage Feature and How to Set Policy.

Hello everyone. In this article, I am gonna talk about CrowdStrike’s FileVantage feature and how we can set a FIM rule.

https://www.crowdstrike.com/blog/introducing-falcon-filevantage/

CrowdStrike Falcon FileVantage is a file integrity monitoring (FIM) solution that offers central visibility and deep-level contextual data around changes made to relevant files and systems across your organization.* It is a lightweight agent that leverages the same lightweight agent used for the Falcon platform.

Falcon FileVantage offers the following benefits:

  • Central visibility into all critical file changes
  • Added insight from threat intelligence data
  • Increased overall efficiency

Falcon FileVantage is a valuable tool for organizations of all sizes that are looking to improve their security posture. It can help you to identify and respond to threats more quickly, and it can also help you to meet compliance requirements.

Here are some of the key features of Falcon FileVantage:

  • Central visibility: Falcon FileVantage provides a central view of all file changes across your organization. This makes it easy to identify and investigate suspicious activity.
  • Added insight from threat intelligence data: Falcon FileVantage leverages CrowdStrike’s threat intelligence data to provide context for file changes. This can help you to quickly identify and respond to threats.
  • Increased overall efficiency: Falcon FileVantage can help you to reduce alert fatigue by prioritizing changes based on their severity. This frees up your security team to focus on the most important threats.

If you are looking for a comprehensive FIM solution, then Falcon FileVantage is a great option. It is easy to use, it provides deep visibility into your environment, and it can help you to improve your security posture.

Let’s take a look at FileVantage over the interface. To go to our FileVantage Dashboard;

FileVantage’s dashboard gives us various information with many different widgets. Some of those;

  • Process with Most Changes: The table that gives us the answer to the question of which process makes the most changes.
  • Host with Most Changes: The table that gives us the answer to the question of which host made the most changes.
  • Users with most changes: The table that gives us the answer to the question of which User made the most changes
  • Rules with most changes: The table that gives us the answer to the question of which Rules with most changes.

There are a few situations that should be noted, some of which are;

  • We can only control changes for Windows and Linux systems,
  • The things we can control changes are files, directories, registry keys, and registry values.

Now let’s take a look at how to write the rules that give these change alerts.

1- First, let’s create a Rule Group. In these rule groups, we set which values to watch for changes.

2- At this point, we see the Files &Directories and Windows Registery Keys rule groups for Windows and Linux, which come by default. Let’s create our own rule group by clicking the relevant button.

3- We choose which type of change we’re gonna write rule group for. In our example I created a rule group for Files & directories (Windows).

4- After click Add Rule on the next screen, we see the area where we define Rule.

To explain these areas;

  • 1- We will enter the Path where we will check the changes. (Note: Filesystem path must end with “\”)
  • 2- Select the number of directory levels to monitor below the Path
  • 3- What level of detection should this rule generate when triggered?
  • 4- Which changes should it monitor as Directory and File?
  • 5- Files and folders you want to include. (Note: For files, use the format *.txt, For folders, use the format: folder)
  • 6- Fike and folders we want to exclude. (Note: For files, use the format *.txt, For folders, use the format: folder)

5- Then let’s use this Rule Group we created in a policy.

6- Let’s create a new policy.

7- Let’s give the policy a name and choose which OS to apply it to.

8- Then, let’s assign our previously created Rule Group to our Policy.

9- Next, we choose which Hostgroup/HostGroups we will assign our Policy to.

10- Another setting we can perform is Scheduled Exclusion. With this setting, from the beginning of a desired time for this policy or at a desired time interval;

  • No detection is produced for changes made by a particular process(s), reducing FP cases.
    (Example: **\RunMe.exe excludes changes made by RunMe.exe in any location)
    Note: If you don’t enter any processes, the exclusion covers changes made by all processes.
  • No detection is generated for changes made by Specific Users, reducing FP cases.
    (Example: admin* excludes changes made by all usernames that begin with admin)
    Note: If you don’t enter any usernames, the exclusion covers changes made by all users.

11- Finally, let’s not forget to enable our policy. Click to the Enable Policy button

Let’s test our policy.

1- As we mentioned in Rule Group, I created a folder called Test in the C:\Windows\System32 directory.

2- Then, when we check the Detections, we see that the relevant alarm comes.

Stay Tuned for my other articles.

Source: *https://www.crowdstrike.com/resources/data-sheets/falcon-filevantage-for-security-operations

Posted

in

by

Ali Rodoplu

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *