Tripwire File Integrity Monitor¶
About¶
Tripwire File Integrity Monitoring (FIM) has the unique, built-in capability to reduce noise by providing multiple ways of determining low-risk change from high-risk change as part of assessing, prioritizing and reconciling detected change. Auto-promoting countless business-as-usual changes reduce the noise so IT has more time to investigate changes that may truly impact security and introduce risk. Tripwire uses agents to continuously capture detailed who, what, and when details in real time, to ensure that you detect all change, capture details about each one, and use those details to determine the security risk or non-compliance.
Tripwire provides the ability to integrate File Integrity Manager with many of your security controls: security configuration management (SCM), log management and SIEM. Tripwire FIM adds components that tag and manage the data from these controls more intuitively and in ways that protect data better than before.
Product Details¶
Vendor URL: Tripwire File Integrity Monitor
Product Type: Data Security
Product Tier: Tier III
Integration Method: Custom
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: TRIPWIRE_FIM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| smb_stage1, smb_uid, smb_host | additional.fields |
| metadata_description | metadata.description |
| category | metadata.product_event_type |
| product_logid | metadata.product_log_id |
| File Integrity Monitoring | metadata.product_name |
| TRIPWIRE | metadata.vendor_name |
| adminsitrative_domain | principal.administrative_domain |
| msg | principal.application |
| source_hostname | principal.asset.hostname |
| source_hostname | principal.hostname |
| source_ip | principal.ip |
| ldap_details | principal.user.group_identifiers |
| principal_user | principal.user.userid |
| msg | security_result.description |
| Task Stop,Task Run,Asset View Change,timed out,timeout,Error, prevented | security_result.action |
| application | target.application |
| target_hostname | target.asset.hostname |
| os | target.asset.platform_software.platform |
| filepath | target.file.full_path |
| NodeName | target.hostname |
| NodeIp | target.ip |
| processes | target.labels |
| process_id | target.process.pid |
| registry_key | target.registry.registry_key |
| registry_value | target.registry.registry_value_data |
| software_update | target.resource.name |
| SETTING or TASK | target.resource.resource_type |
| ldap_details | target.user.group_identifiers |
| loguser | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Element Check | SCAN_HOST |
| process_id | PROCESS_INJECTION |
| rules | NETWORK_CONNECTION |
| shut down | SERVICE_STOP |
| Task Run | SCHEDULED_TASK_UNCATEGORIZED |
| Asset View Change | STATUS_UNCATEGORIZED |
| Security | USER_LOGIN |
| All Other Events | GENERIC_EVENT |
| Action | STATUS_STARTUP |
| softare_update | STATUS_UPDATE |
| Change,Node Change,Policy Score Change | RESOURCE_WRITTEN |
| HKEY | REGISTRY_MODIFICATION |
| Audit Event != CN | RESOURCE_DELETION |
| all other Audit Events | GROUP_MODIFICATION |
| CN= or OU= | USER_UNCATEGORIZED |
| Removed | FILE_DELETION |
| Modified | FILE_MODIFICATION |
| Added | FILE_CREATION |
Log Sample¶
May 10 15:19:11 2022-05-10 15: 19:11 hostname.subdomain.domain.com Tripwire: Removed C:\Windows\System32\drivers\CrowdStrike\C-00000009-00006999-00007000.sys on hostname2.secured.domain.com by Windows - Critical System Files -
Sample Parsing¶
metadata.event_timestamp = "2022-05-10T19:19:11Z"
metadata.event_type = "FILE_DELETION"
metadata.vendor_name = "TRIPWIRE"
metadata.product_name = "File Integrity Monitoring"
principal.hostname = "hostname.subdomain.domain.com"
principal.asset.hostname = "hostname.subdomain.domain.com"
target.hostname = "hostname2.secured.domain.com"
target.file.full_path = "C:\Windows\System32\drivers\CrowdStrike\C-00000009-00006999-00007000.sys"
target.asset.hostname = "hostname2.secured.domain.com"
target.asset.platform_software.platform = "WINDOWS"
security_result.description = "Tripwire: Removed C:\Windows\System32\drivers\CrowdStrike\C-00000009-00006999-00007000.sys on hostname2.secured.domain.com by Windows - Critical System Files -"
security_result.action = "ALLOW"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon