File Integrity Monitoring
Alert Logic offers File Integrity Monitoring (FIM), which allows you to monitor changes to files and directories of assets associated with your Alert Logic deployments in the Alert Logic console. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems.
The File Integrity Monitoring Dashboard is only offered to Managed Detection and Response Professional customers. To learn more about Alert Logic subscriptions, see Get Started with Alert Logic Subscriptions and Add-ons.
FIM allows you to be aware of file changes and related details in your deployment. The following are examples of what you can monitor:
- When a file was created and last modified
- Unauthorized access to specific files
- Security permission changes, such as newly added permissions, deleted permissions and changes to existing permissions
- Registry changes, such as changed registry values, removed registry keys and sub keys
- Changes in system binaries and configuration files, and new processes
After you set up FIM, you can schedule a weekly or monthly search of changes to your FIM setups, and be notified when the search is complete. Scheduled searches can help you keep records of changes to your systems for compliance requirements. For more information about how to schedule a search and access its notifications, see File Integrity Monitoring Search Notification.
The FIM features also help you demonstrate compliance with PCI Requirement 10.5.5 and PCI Requirement 11.5. Alert Logic provides guidance on how to use and access FIM features to demonstrate compliance in the PCI Requirement 10.5.5 and PCI Requirement 11.5.
You can view the File Integrity Monitoring dashboard for a summary of your file monitoring activity. For more information see, File Integrity Monitoring Dashboard .
To access the File Integrity Monitoring page, click the menu icon (). Click Configure, and then click the deployment for which you want to configure file monitoring. On the left navigation panel, click File Integrity Monitoring.
The File Integrity Monitoring page is composed of two subsections: Monitoring and Exclusions. On the Monitoring page, you can setup files and directories for monitoring from the default file types listed on the page. In the Exclusions page, you can exclude files and directories from monitoring, which will override a previously configured file monitoring setup.
Monitoring page
On the Monitoring page, you can configure monitoring for default files and directories. You must scope assets that you want monitored for that file or directory path. You do not need to edit or remove the default file paths. After you have applied the asset scoping to the file path, you must enable each file individually to start monitoring.
Default directories and files
Alert Logic can monitor all default directories and files listed below for GNU/Linux files, Windows files, and Windows Registry. Click the All File Types drop-down menu to select a file type for the default directories and files you want to view.
- /bin
- /boot
- /etc
- /sbin
- /usr/bin
- /usr/local/bin
- /usr/local/sbin
- /usr/sbin
- /usr/my_custom_filepath
- /usr/share/keyrings
- /var/spool/cron
- C:\autoexec.bat
- C:\boot.ini
- C:\config.sys
- C:\Program Files\Microsoft Security Client\msseces.exe
- C:\Program Files\My Custom App\customapp.exe
- C:\Windows\explorer.exe
- C:\Windows\regedit.exe
- C:\Windows\system.ini
- C:\Windows\System32
- C:\Windows\win.ini
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies\Custom</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
- <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
Add a FIM setup
There are two different ways to add a FIM setup. You can click the add icon (), or find the default file or directory from the list for which you want to monitor. After you have filled out all required fields and scoped your assets, you must turn on Monitor.
To add a FIM setup from the add icon:
- Click the add icon ()
- In the Select File Type drop-down list, select a file type.
- In the Base Directory Path field, enter the file path that you want to monitor.
- In the File Name or Pattern field, enter the pattern of the files that you want to monitor.
- Select Monitor to enable monitoring for this file or directory.
- (Optional) In the Description field, you can enter more detail for this setup.
- In the Asset Scoping section, click Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
Monitoring is automatically applied to all assets in your deployment. Scoping individual assets for monitoring in this file path will override monitoring for all assets in this deployment.
- Click SAVE.
- Ensure Monitor is turned on for the file you just scoped.
To add a FIM setup from the list:
- Click the All File Types drop-down list, and then select a file type to filter the list to its default files and directories.
- Find the file path you want to scope assets for monitoring.
- Click View, and then click the Edit.
- Ensure Monitor is selected to enable monitoring for this file or directory.
- (Optional) In the Description field, you can enter more detail for this setup.
- In the Asset Scoping section, click the Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
Monitoring is automatically applied to all assets in your deployment. Scoping individual assets for monitoring in this file path will override existing monitoring rules for all assets in this deployment.
- Click SAVE.
- Ensure Monitor is turned on for the file you just scoped.
Duplicate an existing FIM setup
You can use the duplicate feature if you want to copy an existing FIM setup within the same base directory path. You can change the file name or pattern and the asset scoping, but the base directory path must be the same.
The file name or pattern that you want to create a setup for must be under the same base path from the FIM setup that you want to duplicate.
To duplicate an existing FIM setup:
- Click View, and then click the duplicate icon () for the file path or directory you want to copy.
- Make the necessary changes to the File Naming or Pattern field.
- Ensure Monitor is selected to enable monitoring for this file or directory.
- Make the necessary changes to the description and asset scoping.
- Click SAVE.
- Ensure Monitor is turned on for the file you just scoped.
Edit an existing FIM setup
To edit an existing FIM setup:
- Click View, and then click the edit icon () for the file path you want to edit.
- Ensure Monitor is selected to enable monitoring for this file or directory.
- Make any necessary changes.
Monitoring is automatically applied to all assets in your deployment unless you have further scoped individual assets for monitoring.
- Click SAVE.
- Ensure Monitor is turned on for the file you just scoped.
Bulk edit multiple file paths
You can bulk edit multiple file paths at once to scope assets, or replace assets in scope with other assets.
To bulk edit multiple file paths:
- Click the All File Types drop-down list, and then select a file type to filter the list to its default files and directories.
- Select the check box to bulk select all the files in that file type.
- At the bottom of the page, click the scope icon ().
- Under Selected File Paths, you can remove file paths that you do not want to edit. You can use the search bar to find assets you want to remove, and then click the remove icon ().
- In the Asset Scoping section, select Apply additional assets to the selected file paths to add more assets to monitor, or select Replace existing assets with a new asset scope to remove your existing assets in scope and replace with other assets.
Monitoring is automatically applied to all assets in your deployment unless you have further scoped individual assets for monitoring.
- Click the Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
- Click SAVE.
- Ensure Monitor is turned on.
Exclusions page
On the Exclusions page, you can add entire directories or specific file paths you want to exclude from monitoring. Your file path or directories exclusions will be listed on this page.
Default directories and files
The default directories and files are listed below for Windows files. Click the All File Types drop-down menu to select a file type for the default directories and files you want to view.
- C:\Windows\System32\*.txt
- C:\Windows\System32\*.log
- C:\Windows\System32\*.log.*
- C:\Windows\System32\*.sol
- C:\Windows\System32\*.etl
- C:\Windows\System32\*.etl.*
- C:\Windows\System32\*.evt
- C:\Windows\System32\*.evtx
- C:\Windows\System32\*.dat
- C:\Windows\System32\*.jfm
- C:\Windows\System32\*.jrs
- C:\Windows\System32\*.chk
- C:\Windows\System32\config\
- C:\Windows\System32\logfiles\
- C:\Windows\System32\msdtc\
- C:\Windows\System32\sleepstudy\
- C:\Windows\System32\smi\store\
- C:\Windows\System32\spool\printers\
- C:\Windows\System32\spp\store\
- C:\Windows\System32\wbem\logs\
- C:\Windows\System32\wbem\repository\
- C:\Windows\System32\wdi\
- C:\Windows\System32\winevt\
The exclusions you configure override files that are currently being monitored. This allows you to exclude specific files or sub-directories from an entire directory that you previously configured for monitoring.
To access the Exclusions page, you can click NEXT from the Monitoring page, or click Exclusions on the left navigation panel.
To add an exclusion:
- Click the add icon ()
- In the Select File Type drop-down list, select a file type.
- In the Base Directory Path field, enter the file path that you want to monitor.
- In the File Name or Pattern field, enter the pattern of the files that you want to monitor.
- (Optional) In the Description field, you can enter more detail for this setup.
- In the Asset Exclusions section, click the Search assets bar to enter the names of the asset you want to exclude, and then select assets to exclude from the populated options.
Monitoring is automatically applied to all assets in your deployment unless you have further scoped individual assets for monitoring. Excluding assets from this file path will override existing exclusion rules for all assets in this deployment.
- Click SAVE.
Duplicate an existing File Integrity Exclusion setup
You can use the duplicate feature if you want to copy an existing File Integrity Exclusion setup within the same base directory path. You can change the file name or pattern and the asset exclusions, but the base directory path must be the same.
The file name or pattern that you want to create a setup for must be under the same base path from the File Integrity Exclusion setup that you want to duplicate.
To duplicate an existing File Integrity Exclusion setup:
- Click View, and then click the duplicate icon () for the file path or directory you want to copy.
- Make the necessary changes to the File Naming or Pattern field.
- Ensure Monitor is selected to enable monitoring for this file or directory.
- Make the necessary changes to the description and asset exclusion.
- Click SAVE.
- Ensure Monitor is turned on for the file you just scoped.
Edit an existing File Integrity Exclusion setup
To edit an existing File Integrity Exclusion setup:
- Click View, and then click the edit icon () for the file path you want to edit.
- Make any necessary changes.
Monitoring is automatically applied to all assets in your deployment unless you have further scoped individual assets for monitoring. Excluding assets to this file path will override existing exclusion rules for all assets in this deployment.
- Click SAVE.
- Ensure Monitor is turned on for the file you just scoped.
Bulk edit multiple file paths
You can bulk edit multiple file paths at once to scope assets, or replace assets in scope with other assets.
To bulk edit multiple file paths:
- Click the All File Types drop-down list, and then select a file type to filter the list to its default files and directories.
- Select the check box to bulk select all the files in that file type.
- At the bottom of the page, click the scope icon ().
- Under Selected File Paths, you can remove file paths that you do not want to edit. You can use the search bar to find assets you want to remove, and then click the remove icon ().
- In the Asset Scoping section, select Apply additional assets to the selected file paths to add more assets to monitor, or select Replace existing assets with a new asset scope to remove your existing assets in scope and replace with other assets.
Monitoring is automatically applied to all assets in your deployment unless you have further scoped individual assets for monitoring.
- Click the Search assets bar to enter the names of the asset you want to monitor, and then select assets to add from the populated options.
- Click SAVE.
- Ensure Monitor is turned on.