Monitor files on assets by hash

Monitor files on assets by hash

This article shows how to create an alert that monitors the presence of the files and configuration items on the assets that need to be there.


  • Create CSV file using the following naming convention:
    • SHA-256 hash as indicator
    • SHA-256 as indicator_type ( do not change )
    • category name as category
    • file path as description

Query
 indicator,indicator_type,category,description   047ba849dddb852be8244c997a458e6870f9c4b9c2ffafed67a3d30030931eea,SHA-   256,mandatory_files,/etc/sudo-ldap.conf   0444c33410ee449e062fb6aa1ae604e10faf22eb7724b758dbd276c8c8516977,SHA-   256,mandatory_files,/etc/sudo.conf   dbe696add0d4c25420245c2062a7cbd853e81e8bf062bda02fa943adb1aae30f,SHA-   256,mandatory_files,/etc/mtab

  • Go to Configuration - Threat Sources - Create and upload the csv file
  • Go to Configuration - Query Packs - Create and create a query pack having 2 queries that check for the specific paths in the hash table and in the file table. For each query in the query pack new table will be created using the following naming convention "qp_{query pack name}_{query name}"


Query
SELECT * 
FROM hash 
WHERE path IN ( '/etc/sudo-ldap.conf', '/etc/sudo.conf', '/etc/mtab' ) 

Query
SELECT *
FROM file 
WHERE path IN ( '/etc/sudo-ldap.conf', '/etc/sudo.conf', '/etc/mtab' )

  • Assign the query pack to the assets as described in this article
  • Create the alert rule using the following script as the template. The script uses 'ubuntu' tag and 'qp_mandatory_files_q_hash' query pack table 
    Query
    WITH assets

    AS (SELECT DISTINCT upt_asset_id 

    FROM upt_asset_tags tags 

    WHERE tag = 'ubuntu' ), 

    files 

    AS (SELECT description AS path_exp, 

    indicator AS sha256_exp 

    FROM upt_threat_indicators 

    WHERE category = 'mandatory_files'), 

    hash 

    AS (SELECT upt_asset_id, 

    path, 

    Max_by(sha256, upt_time) sha256 

    FROM qp_mandatory_files_q_hash 

    GROUP BY 1, 

    2) 

    SELECT 'medium' AS severity, 

    'asset missing mandatory file' AS description, 

    a.upt_asset_id, 

    CURRENT_TIMESTAMP AS time, 

    f.path_exp AS KEY, 

    CASE

    WHEN f.sha256_exp = h.sha256 THEN 'file exists with expected hash' 

    WHEN h.sha256 IS NULL THEN 'expected file doesnt exist' 

    WHEN f.sha256_exp != h.sha256 THEN 'file exists with unexpected hash' 

    END AS value 

    FROM assets a 

    CROSS JOIN files f 

    LEFT JOIN hash h 

    ON a.upt_asset_id = h.upt_asset_id 

    AND f.path_exp = h.path 

    WHERE sha256_exp <> COALESCE(sha256, '123') 



    • Related Articles

    • Setup Alert rule context queries

      Alert rule context queries provide the capability to define queries based Alert metadata. These queries can be used to retrieve additional information related to an alert. Alert rule context queries can be defined for each alert using the following ...

    • Alert to list commands associated with an ssh session to a remote host

      In this article we show how to configure an alert that fires whenever someone starts an ssh session to a remote machine from a Bastion Host using ssh. We then show how to build a context query, to list all the commands run on the remote machine, by ...

    • Sample JSON alert format

      Following fields are generated for all alerts     host_name     severity     description     alert_time     key     value     metadata - contains fields / values generated for the alert rule other than mandatory fields. Sample JSON {     ...