File Integrity Monitoring Search Notification

Alert Logic offers File Integrity Monitoring (FIM), which allows you to monitor changes to files and directories of assets associated with your Alert Logic deployments in the Alert Logic console. You can configure monitoring or exclusions for specific file paths or entire directories in your Windows and Linux systems. To learn more about FIM, see File Integrity Monitoring .

You can also view the File Integrity Monitoring dashboard for a summary of your file monitoring activity. For more information, see File Integrity Monitoring Dashboard .

After you set up FIM, you can schedule a weekly or monthly search of changes to your FIM setups, and be notified when the search is complete. The search and notification can help you keep records of changes to your systems, which can also help you with PCI-DSS compliance requirements.

Create a search schedule and notification

Create a schedule and subscribe users to receive a notification when the search is complete in the Notifications page.

To create a search schedule and notification:

  1. In the Alert Logic console, click the menu icon ().
  2. Click Manage, click Notifications, and then click Schedules.
  3. Click the add icon (), and then click Schedule a FIM Search.
  4. Type a descriptive name for the search schedulefor example, "Security search for security team."
  5. If you want the schedule to be active, leave Schedule Is Active turned on. Turn it off if you want to save the schedule but not activate it yet.
  6. Specify how often you want to conduct the search:
    • DailyEvery day, conducts a search for the previous day.
    • WeeklyOn the day you select, conducts a search for the previous calendar week (MondaySunday).
    • MonthlyOn the day of the month you select, conducts a search for the previous calendar month.
  7. Select the time you want Alert Logic to conduct the search, using the 24-hour clock standard. Alert Logic schedules the search in the time zone reported by your web browser.
  8. Select the FIM search template you want.
  9. To subscribe users to receive a notification email, click Subscribe User(s), and then:
    1. Under Notification Delivery, select the users that you want to receive the notification. The list includes your name and user names in the customer account. You can use the search bar to help you find recipients.
    2. (Optional) Customize the Email Subject. You can change the text and insert the {{search_name}} variable to include the name of the scheduled search.
    3. If you want to send the schedule as a CSV file attachment, select the Attach CSV File check box. If you leave it cleared, the email will provide only a link to the Downloads page with the list filtered to display the search generated by the schedule.
      4. The CSV File search attachment contains a maximum of 500,000 FIM events. The attachment is unencrypted and may contain sensitive information about your organization.
    4. If you want to receive a notification even if the search yielded no results, select the Receive a notification even if the scheduled search yields no results.
  10. Click SAVE.

View and manage search schedules and notifications

You can view and manage search schedules and their notifications from the Notifications page, listed under Manage in the Alert Logic console. The Schedules tab on the Notifications page lists existing search schedules and the number of recipients notified when the scheduled search is generated.

View list of schedules generated by a schedule

The Downloads page lists all searches generated by your search schedules. From this page, you can download and manage searches. To access the Downloads page, click the menu icon (), and then click Investigate. Click Search, and then click Downloads.

The list includes all searches in your customer account and its managed accounts. You can narrow the set of searches listed by using the filters in the left navigation.

Filter the searches downloads list

The Downloads page lists all searches conducted from FIM search schedules. You can apply filters to narrow the list to a specific set of searches.

To filter the searches downloads list:

  1. In the left navigation, click any of the filters to narrow the list. Available filters vary according to the schedules in your environment and filters you select.
    • DisplayYou can use this filter to display the latest searches only.
    • ScheduleYou can use this filter to display only the searches conducted by a specific schedule.
  2. To search for a filter, type a filter value in search filters. For example, you can quickly find downloads for a specific schedule by typing part of the schedule name.
  3. To clear filters and start over, delete text from search filters (if applicable) or select CLEAR ALL FILTERS.

Search by date to filter the list

You can use the date range drop-down menu at the top of the downloads list to filter the searches by generation date. Click the menu and then use the calendar to select a date range.

Search the FIM search schedule list

You can use the search bar to find a specific search. Enter the Search Result ID that was emailed to you in the search bar to find that specific search.

Download a search generated by a schedule

To the right of the search you want to download, click Download. If you select more than one search, the download is a compressed file containing the selected search CSV files.

The CSV File search attachment contains a maximum of 500,000 FIM events.

Delete search generated by a schedule

Click the icon next to one or more searches you want to delete, and then click the DELETE icon.

If you want to delete all searches currently listed, select the check box at the top of the list. On the bar that appears at the bottom of the page, click the DELETE icon.