Documentation forSecurity Event Manager

Monitor Windows files, directories, and registry settings using FIM connectors

File Integrity Monitoring (FIM) monitors all Windows file types for unauthorized changes. Using FIM, you can detect changes to critical files to ensure systems have not been compromised.

FIM monitors Windows systems that are configured to process data through the supported SEM agent for Windows. See the SEM system requirements for more information.

FIM does not support the monitoring of network shares. Only local drives are supported. However, FIM can detect unauthorized modifications to configuration files, executable files, log and audit files, content files, database files, web files, and so on. When FIM detects a change in a monitored file, it logs an event. This event prompts SEM to execute the configured action.

You can build correlation rules to act as a second-level filter to send an alert if certain patterns of activity occur (not just single instances). When an alert is triggered, the data is in context with your network and other system log data.

FIM features

  • Monitor real-time access and identify users who change file and registry keys.
  • Configure file and directory logic and registry keys and values to monitor different types of access (create, write, delete, change permissions and metadata).
  • Standardize configurations across many systems.
  • Configure monitoring templates to monitor the basics and create and customize your own monitors.
  • Configure templates for rules, filters, and reports to assist in including FIM events.

See the following topics for more information.