Documentation forSecurity Event Manager

Configure FIM connectors to monitor Windows files, directories, and registry settings

File integrity monitoring (FIM) monitors all Windows file types for unauthorized changes. Using FIM, you can detect changes to critical files to ensure systems have not been compromised.

Please note that FIM does not support the monitoring of network shares. Only local drives are supported.

FIM monitors Windows systems that are configured to process data through the supported SEM agent for Windows. See the SEM system requirements for more information.

FIM can detect unauthorized modifications to configuration files, executables, log and audit files, content files, database files, web files, and so on. When FIM detects that a monitored file has changed, it logs an event. The event then prompts SEM to execute the configured action. You can build correlation rules to act as a second-level filter to send an alert if certain patterns of activity occur (not just single instances). When an alert is triggered, the data is in context with your network and other system log data.

Features of FIM

  • Monitor real-time access and identify users who change file and registry keys.
  • Configure file and directory logic and registry keys and values to monitor different types of access (create, write, delete, change permissions/metadata).
  • Standardize configurations across many systems.
  • Configure monitoring templates to monitor the basics and create and customize your own monitors.
  • Configure templates for rules, filters, and reports to assist in including FIM events.

See: