File Integrity Monitoring

File Integrity Monitoring (FIM) helps you to detect and monitor changes to important files and systems in your IT infrastructure. It is particularly useful for identifying unauthorized changes or manipulations to critical files, such as system configurations or security-relevant data, at an early stage.

Please note that the FIM module only works if you have previously allowed this in the host settings for the respective host. To do this, check the File Integrity Monitoring box in the host settings under Core Features.

Dashboard

The dashboard provides you with a clear overview of the security-relevant events in your system. The event history is categorized by severity (critical, high, medium, low) so that you can quickly identify the most important incidents. The most frequent events show which threats or anomalies occur most frequently, also categorized by severity. Diagrams illustrate the event history and help you to recognize trends and patterns. There is also a list of new files, which helps you to keep an overview at all times.

Rules

Use the rule sets to record and categorize potentially critical operations in your systems. To start with, preconfigured sets of rules are already available for the severity levels Critical, High and Medium. You can also create and manage your own sets of rules to customize monitoring to your individual requirements.

We recommend that you use the predefined sets of rules, as these already contain critical directories that we recommend you monitor.

Add rules

To create a new set of rules, click on the corresponding button in the view.To create a new set of rules, click on the corresponding button in the view.

FIM is not available for files and folders on drives that do not support access monitoring! This applies, for example, to encrypted volumes mounted with VeraCrypt. You can tell whether FIM is supported on a drive by the presence of the Security tab in the properties of a file on the drive.

Then define the following points to create your set of rules.

Assign a descriptive name and a brief description to clearly identify the rule set.
Enable or disable the rule set as needed.
Assign a severity level to the rule. Available options are Critical, High, Medium, and Low.
Define the operations to be monitored:
1. Create: Creation of a file.
2. Change: Modification of file content.
3. Alter: Changes to metadata such as access rights or ownership.
4. Delete: Deletion of a file.
5. Read: Access to a file.
Define references that should be explicitly considered or excluded by the rule set. Specify the relevant hosts and use tags for more precise definition.
Define the file paths to be monitored or explicitly excluded from monitoring. Ensure correct specification for smooth tracking of system changes.
Finalize your configuration by clicking the Add Rule Set button.

File Operations

Here you will find the FIM logs, which log all relevant file changes in the system. This includes newly created, modified or deleted files as well as all integrity violations that deviate from the defined security guidelines. The logs contain information about the user, host, the source of the change and the set of rules affected. These logs help you to identify unauthorized changes and monitor system integrity. Use the free text search or the filters to quickly locate entries.

PreviousIntrusion Detection System NextAdvanced Persistent Threats

Last updated 23 days ago

Was this helpful?