NXLog File Integrity Monitoring¶
About¶
File integrity monitoring (FIM) can be used to detect changes to files and directories. A file may be altered due to an update to a newer version, a security breach, or data corruption. File integrity monitoring helps an organization respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives.
Product Details¶
Vendor URL: NXLog
Product Type: Security
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Cyderes Documentation
Log Guide: NXLog Docs
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: NXLOG_FIM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Digest | target.file.sha1 |
| EventTime | metadata.event_timestamp |
| EventType | metadata.product_event_type |
| FileName | target.file.names |
| FileSize | target.file.size |
| Hostname | principal.hostname |
| IpAddress | principal.ip |
| Object | target.resource.resource_subtype |
| PrevDigest | target.resource.attribute.labels |
| PrevFileName | target.resource.attribute.labels |
| PrevFileSize | target.resource.attribute.labels |
| PrevModificationTime | additional.fields |
| PrevValueSize | target.resource.attribute.labels |
| RegistryValueName | target.file.full_path |
| Severity | security_result.severity_details |
| Severity | security_result.severity |
| SourceModuleName | principal.resource.name |
| SourceModuleType | principal.resource.resource_subtype |
| ValueSize | target.file.size |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| DELETE | FILE_DELETION |
| Else | FILE_UNCATEGORIZED |
| NEW | FILE_CREATION |
| RENAME, CHANGE | FILE_MODIFICATION |
Log Sample¶
{"EventTime":"2024-07-17T11:52:15.578104-05:00","EventType":"CHANGE","Object":"FILE","PrevFileName":"c:\\program files (x86)\\visualcron\\settings\\jobs.xml","PrevModificationTime":"2024-07-17T10:54:31.341312-05:00","FileName":"c:\\program files (x86)\\visualcron\\settings\\jobs.xml","ModificationTime":"2024-07-17T11:48:14.568444-05:00","PrevFileSize":620751,"FileSize":620748,"DigestName":"SHA1","Digest":"a124hdq3738dhuf34374hf474938fjfj16384hfjebf","PrevDigest":"b46ec95d7a2cb6c827feb5e5a110f879e3eba492","Severity":"WARNING","SeverityValue":3,"EventReceivedTime":"2024-07-17T11:52:15.578104-05:00","SourceModuleName":"fim","SourceModuleType":"im_fim","Hostname":"JOHNDOE.corp.example.com","IpAddress":"10.0.0.0"}
Sample Parsing¶
additional.fields["PrevModificationTime"] = "2024-07-17T10:54:31.341312-05:00"
metadata.event_type = "FILE_MODIFICATION"
metadata.product_event_type = "CHANGE"
metadata.product_name = "File Integrity Monitoring"
metadata.vendor_name = "NXLOG"
principal.hostname = "JOHNDOE.corp.example.com"
principal.ip = "10.0.0.0"
principal.resource.name = "fim"
principal.resource.type = "im_fim"
security_result.severity = "MEDIUM"
security_result.severity_details = "WARNING"
target.file.names = "c:\\program files (x86)\\visualcron\\settings\\jobs.xml"
target.file.sha1 = "a124hdq3738dhuf34374hf474938fjfj16384hfjebf"
target.file.size = 620748
target.resource.attribute.labels.key = "PrevFileName"
target.resource.attribute.labels.value = "c:\\program files (x86)\\visualcron\\settings\\jobs.xml"