File Integrity Monitoring (FIM)

File Integrity Monitoring (FIM) allows you to audit changes to critical files and folders for compliance reasons on Windows systems running agent version 2.5.3.8 or later.

When you turn on FIM, the Insight Agent starts collecting FIM events. InsightIDR can then attribute users to file modification activity. You can trigger detections based on certain file log events to notify you when one of your users modifies a critical file or folder.

To take advantage of FIM:

Additionally, you can review this documentation:

FIM Restrictions

FIM does not track reads or permission changes, nor does it monitor the create, modify, or delete activities of symbolic links or hard links.

You can read about FIM considerations in the FIM Recommendations documentation.

Extensions Monitored

FIM only tracks specific extensions for file event logs when a file is edited, moved, or deleted.

InsightIDR allows you to monitor the following extensions:

  • .bat
  • .cfg
  • .conf
  • .config
  • .dll
  • .exe
  • .ini
  • .sys

You can read about FIM allowed extensions in the FIM Recommendations documentation.

Configure FIM

To configure FIM you will need to:

Windows Requirements

File Integrity Monitoring is only available on Windows systems running agent version 2.5.3.8 or later. You also need Administrator Privileges.

Turn it on in InsightIDR

Before you the Insight Agent can collect FIM events, you must turn on the File Integrity Monitoring feature.

To turn on FIM:

  1. From the InsightIDR left menu, click Settings.
  2. Select Insight Agent.
  3. In the File Integrity Monitoring tab, switch the toggle to ON.

File Integrity Monitoring

Configure FIM in Your Assets in Windows

The FIM configuration instructions were created using the following Windows versions only:

  • Windows Server 2016
  • Windows 10
  • Windows Server 2012 R2
  • Windows Server 2012

Refer to Windows Help for security audit instructions for all other Windows versions.

FIM requires that you make certain changes to the access permissions of the folders and files you want to monitor.

These instructions require Administrator Privileges on a Windows machine.

To configure FIM for Windows, complete the following actions in order for Windows to send audit object file modification events:

  1. Choose whether to modify the Group Policy Object (GPO) on the Localhost or on an Organization Unit (OU)
  2. Allow security auditing on the folders and files that require monitoring

Not sure which files or folders to monitor?

Check out FIM Recommendations.

Modify the Group Policy Object on the Localhost

You can set the Group Policy Object (GPO) on a domain or as an Organization Unit (OU) on an Active Directory Container for all Windows machines within it. In this example, the instructions will configure the GPO on a single windows server.

To modify the GPO:

  1. In the "Start" menu on your machine, search and open the Group Policy Editor called “gpedit.msc.”
  1. In the “Local Group Policy Editor,” select Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access.
  2. In the right window pane, double-click Audit File System.
  1. In the “Audit File System Properties” dialog, only check the Success checkbox.
  2. Click Ok.

Your local Group Policy configuration is now complete.

Modify the GPO on an Organization Unit (OU)

In this example, the instructions will configure the GPO on an OU.

To modify the GPO on an OU:

  1. In the Start menu, open “Administrative Tools,” then double-click on the Group Policy Management.
  1. In the “Group Policy Management” dialog, select Group Policy Management > Forest > Domains > [Your domain name] > [Your OU].
  2. Right-click on the folder called [Your OU]. Click the menu option Create a GPO in this domain, and Link it here.
  1. In the New GPO dialog, enter [Your GPO Name].
  2. Click OK.
  1. In the “Group Policy Management” dialog, right-click the newly created policy called [Your GPO Name].
  1. Select the menu option Edit.
  2. In the Group Policy Management Editor dialog, select Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access.
  3. In the right window pane, double-click Audit File System.
  1. In the “Audit File System Properties” dialog, only check the Success checkbox.
  2. Click Ok.

Allow Security Audit

After you configure the GPO and OU, choose which files and folders you want to monitor for file modification events. Review the FIM Recommendations for information on which files and folders you should monitor.

To allow file monitoring for file modification events:

  1. Open Windows Explorer and browse to the location of the file or folder you want to monitor.
  2. Right-click on the file or folder and select Properties at the bottom of the list.
  1. In the "Properties" dialog, select the Security tab.
  2. Click the Advanced button. The “Advanced Security Settings” dialog appears.
  1. Select the Auditing tab.
  2. Click the Add button.
  1. In the “Auditing Entry” dialog, click the Select a principal link. The “Select User, Computer, Service Account, or Group” dialog appears.
  1. Enter “Everyone” in the “Enter the object name” field.
  2. Click the Check Names button. The word “Everyone” is underlined when the Name Check is successful.
  1. Click the OK button to close the dialog.
  2. In the “Auditing Entry” dialog, click the Show advanced permissions link.
  3. Check on the following checkboxes:
    • Create files / write data
    • Create folders / append data
    • Delete subfolders and files
    • Delete
  1. Click the OK button to close the “Auditing Entry” dialog.
  1. Click the OK button in the “WHICH” dialog. A progress bar will appear as the Audit configuration is applied to all the files in the directory.

Your security audit is now allowed.

Search for FIM Events

See Search Logs for FIM Events for more information.