Help Document

File Integrity Monitoring

File Integrity Monitoring is a feature that helps you monitor all changes (addition/deletion/modification) that are made to files and folders in Windows.

  1. Configuring File Integrity Monitoring
  2. Manage File Integrity Monitoring (FIM) Templates
  3. Configuring Bulk Integrity Monitoring
  4. Prerequisites for automatic configuration of FIM
  5. Steps for manual configuration of FIM

Configuring File Integrity Monitoring

By continuously monitoring who accesses and modifies files, FIM configuration helps organizations better secure sensitive information from theft, loss, and cyberattacks.

To configure File Integrity Monitoring,

file-integrity-monitoring-windows

  • Navigate to Settings > Configuration > File Integrity Monitoring
  • Click the Add FIM button.
  • Select the device where the files/folders are located, for which you want to enable FIM.
  • To add a device from a particular domain, select the domain from Select Category field and then choose the required log sources.
  • file-integrity-monitoring-linux

  • To add a device manually, click Configure Manually present on the top right corner of the "Select Log Source for FIM" popup.
  • file-integrity-monitoring-linux

  • Select the agent with which the logs are to be fetched for the device.We can associate several devices and collect logs with the help of a single agent.
  • Browse and select the files and folders you wish to monitor with FIM. Alternatively, you can enter the location of the files/ folders.
  • file-integrity-monitoring-linux

  • To audit only a particular set of files/folders, click on the filter icon present on the right corner of any selected location. This will let you include or exclude particular file types for FIM.
  • The Exclude Subfolders will let you exclude
    • None of the subfolders
    • All the Sub locations
    • The selected sub locations
  • file-integrity-monitoring-linux

  • Click Configure
Note:
  • Configuring FIM can result in an increase in log flow, potentially causing a spike in storage. Kindly configure it only for the files that require monitoring.
  • To monitor removable storage, kindly install the agent for the device locally and configure FIM.

Manage File Integrity Monitoring (FIM) Templates

If the same file or folder needs to be monitored in multiple devices, then a template can be created and assigned to these devices. This will make it easier for the user to audit the same set of files or folders without selecting them all over again.

To create a FIM template follow the steps below:

  • Navigate to Settings > Configurations > File Integrity Monitoring > Manage File Integrity Monitoring Templates.
  • Click Add FIM Template.
  • file-integrity-monitoring-linux

  • Enter a name for the template and select the locations of the files and folders.

    Alternatively, you can enter the location of the files/folders. Also, the Import Locations can be used to import multiple locations.

  • file-integrity-monitoring-linux

  • Click Configure.
  • All the created templates are listed in a tabular column with an option to edit/delete them with the help of the Edit Template or Remove Template icon.

Configuring Bulk Integrity Monitoring

If the same files and folders located in multiple devices need to be added for monitoring, the Bulk File Monitoring feature can be used.

file-integrity-monitoring-linux

  • Navigate to Settings > Configuration > File Integrity Monitoring
  • Click the Add FIM button present on the top right corner.
  • Select Configure Multiple Devices
  • Pick the devices in which the files/folders are located, enter the correct credentials, and select the agent. Also, you can choose the template from the list of templates that are available.
  • file-integrity-monitoring-linux

  • Click Configure.

Prerequisites for automatic configuration of FIM

The prerequisites required to configure FIM automatically with the use of an agent are listed below:

  • The user who wants to configure FIM, needs to be a member of the Local Administrators Group for a workgroup or have the Administrative Privileges for a domain-based device in order to configure SACL and Local Security Policies.
  • "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" should be enabled.

    This can be enabled by navigating to:Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options

  • With regard to the policy, "Access this computer from the network", the user or the group they belong to should be added.

    This can be accomplished by navigating to: Policy → Computer Configuration→Windows Settings → Security Settings → Local Policies → User Rights Assignment.

  • The following services and firewall rules must be enabled to access a remote machine:
    • For Windows Version 6.0 or higher
      • Services
        • Function Discovery Resource Publication
        • Function Discovery Provider Host
      • Firewall inbound Rule
        • File and Printer Sharing (SMB-In) (Local Port 445)
        • File and Printer Sharing (NB-Session-In) (Local Port 139)
      • File and Printer Sharing for Microsoft Networks in LAN Property should be enabled.
  • Auditpol.exe must be available on machines running Windows version 6.0 or higher.
  • Enable the SMB v2/v3 Protocol.
Note: For Windows Server 2003, Kindly follow the manual configuration steps.

Follow the below command to verify that the agent can access the admin share path,

$ net use * \\<Machine Name>\<Admin Share Path> /user:<Username> <Password>

Example: net use * \\FileServer\c$\FIM /user:administrator ******

Troubleshooting For Net use error:

  • If Error 5 (Access to remote admin share path is denied) occurs,

    Cause:

    • Credentials may be incorrect.
    • Credentials with insufficient privileges.
    • Using Administrative Credentials for Workgroup Devices prevents local accounts from accessing Administrative Shares through the network.

    Solution:

    • Credentials with the privilege to access Administrative Shares for setting SACL and Local Security Policies.
    • For Workgroup Devices, Set registry value for LocalAccountTokenFilterPolicy to 1.
  • Registry Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • If Error 53 (The Network Path was not found) occurs, enable the following services (Both Client and Server):
    • DNS Client
    • SSDP Discovery (Local UDP Port 1900)
    • UPnP Device Host (Local TCP Port 2869)

Steps for manual configuration of FIM

The prerequisites required for manual FIM log collection is mentioned below:

Please follow the steps below to enable the specified policies manually

For Windows version 6.0 or higher:

  • Execute the below command on the local computer with Administrator privileges.
  • Command: auditpol.exe /set /subcategory:"File System,Handle Manipulation,File Share,Detailed File Share" /success:enable /failure:enable
  • Using GPO:

    [ Policy ] → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies - Local Group Policy Object → Object Access

    Enable the following policies, both Success and Failure.

    • Audit File Share
    • Audit File System
    • Audit Handle Manipulation
    • Audit Detailed File Share
  • file-integrity-monitoring

    For Windows Server 2003:

    [ Policy ] → Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit Object Access (Success and Failure)

Enable SACLs with the below permissions for file/folder:

    [File/Folder properties] -> Security -> Advanced -> Auditing

  • Execute files/traverse folder
  • Write data/create files
  • Append data/create folders
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete read permissions
  • Change permissions
  • Take ownership

file-integrity-monitoring