File Integrity Monitoring
Currently available in beta version
Last updated
Currently available in beta version
Last updated
File Integrity Monitoring (FIM) is the key to the integrity of your files. Here, only the accesses to directories/data that you have previously defined in the file integrity monitoring rules are recorded and clearly displayed for you. Using specially created sets of rules, you can place critical directories under observation and thus identify changes to system files at an early stage.
Under the section FIM Cockpit you will find several overviews of all accesses to directories/data defined within the sets of rules. These can be, for example, newly created or deleted files within the directories or also changes to files or their metadata.
The visualizations in the FIM Cockpit contain information about the affected directory, the explicit file name, the executed operation, the affected host and the number of detected events. Use the current 24/h view or set the start and end time of the display individually.
The individual overviews include:
Event History (Critical, High, Medium, Low)
Graphical representation of captured logs by criticality.
Most Frequent Events (Critical, High, Medium, Low)
Detailed listing of captured logs by criticality.
Unique Executables
Graphical representation of the total number of affected programs.
Unique Directories
Graphical representation of the total number of affected directories.
Unique Hosts
Graphical representation of the total number of hosts covered by FIM.
New Files (Critical, High, Medium, Low)
Detailed listing of newly created files.
History of failed events (Critical, High, Medium, Low)
Graphical representation of all rejected access attempts due to missing permissions.
Failed Events (Critical, High, Medium, Low)
Detailed listing of all rejected access attempts due to missing permissions.
Clicking on the corresponding host will take you to the detailed host details view.
Use the rule sets to capture and categorize potentially critical operations within your systems. Right from the start, you will find 3 preconfigured rule sets for the severity levels Critical, High as well as Medium and you can also create and manage your own rule sets.
We recommend that you use the predefined rule sets, as these already contain critical directories that we encourage you to monitor.
FIM generates separate DELETE and CREATE events for each file renaming or moving, for both the original and the new file. This method enables precise tracking of all changes without accessing files outside the monitored path, ensuring maximum transparency and accuracy.
Name and Description: Assign a meaningful name and description.
Enabled: Activate or deactivate your set of rules.
Severity: Select from the grades: Critical, High, Medium or Low, which criticality an action has for you within the file paths defined below.
Operations: Decide which types of activity are covered by the rule. - Create A file is created. - Change The file content is changed.
- Alter Metadata such as access rights or owners are changed.
- Delete A file is deleted.
Filepath: Specify file paths to be viewed. Note the correct specification, for smooth recording of system changes.
Host binding: Decide whether rule applies exclusively to the systems to be defined in the reference. or assign the set of rules to all hosts with assigned tags. In this case, also determine whether the reference must include all tags or whether only at least one specified tag must be present.
Under Logs you will find the result of your previously defined rules. Here you can see listed which operation within which directory was assigned to the previously defined severity level.
Note that only logs defined in rules are mapped here.
Use the searchbar to filter specifically for entries or click on applicable fields to display similar results. You can narrow down your results by setting multiple filters.
Please note that a separate log entry may not be created for each individual moved object in our system in the event of mass moves or mass renames. Nevertheless, enough log entries are usually generated to clearly indicate that a mass move or mass renaming has taken place.
Under Logs you will find the result of your previously defined rules. Here you can see a list of which operation within which directory was assigned to the previously defined severity level.
Please note that only logs defined in sets of rules are also displayed here.
Use the search bar to filter for specific entries or click on relevant fields to display similar results. You can narrow down your results by setting multiple filters.
Beachten Sie, dass bei Massenverschiebungen oder Massenumbenennungen in unserem System eventuell nicht für jedes einzelne verschobene Objekt ein separater Log-Eintrag erstellt wird. Trotzdem werden in der Regel genügend Log-Einträge generiert, um eindeutig anzuzeigen, dass eine Massenverschiebung bzw. -umbenennung stattgefunden hat.
From version 6.2.0 of the Enginsight Pulsar, FIM is also available for macOS. However, this requires the Pulsar to be given authorization for full hard disk access. To do this, proceed as follows:
Call up the system settings.
Go to the "Privacy & Security" section.
An entry for the Pulsar should already be visible under "Full disk access". Activate this to enable FIM.
If no entry for Pulsar is visible, add it by clicking on +. The app can be found in the program directory (/Applications/Enginsight Pulsar.app).
Once you have granted authorization, FIM can now be used. A restart is not necessary.