File Integrity Monitoring (FIM)

File Integrity Monitoring (FIM) allows you to audit changes to critical files and folders for compliance reasons on Windows systems running agent version 2.5.3.8 or later.

When you turn on FIM, the Insight Agent starts collecting FIM events. InsightIDR can then attribute users to file modification activity. You can trigger detections based on certain file log events to notify you when one of your users modifies a critical file or folder.

To take advantage of FIM:

Additionally, you can review this documentation:

FIM Restrictions

FIM does not track reads or permission changes, nor does it monitor the create, modify, or delete activities of symbolic links or hard links.

You can read about FIM considerations in the FIM Recommendations documentation.

Extensions Monitored

FIM only tracks specific extensions for file event logs when a file is edited, moved, or deleted.

InsightIDR allows you to monitor the following extensions:

  • .bat
  • .cfg
  • .conf
  • .config
  • .dll
  • .exe
  • .ini
  • .sys

You can read about FIM allowed extensions in the FIM Recommendations documentation.

Configure FIM

To configure FIM you will need to:

Windows Requirements

File Integrity Monitoring is only available on Windows systems running agent version 2.5.3.8 or later. You also need Administrator Privileges.

Turn it on in InsightIDR

Before you the Insight Agent can collect FIM events, you must turn on the File Integrity Monitoring feature.

To turn on FIM:

  1. From the InsightIDR left menu, click Settings.
  2. Select Insight Agent.
  3. In the File Integrity Monitoring tab, switch the toggle to ON.

Configure FIM in Your Assets in Windows

Are you looking for steps to configure FIM in Linux?

The information in this documentation is for Windows. Review the File Integrity Monitoring for Linux documentation if you are using Linux.

The FIM configuration instructions were created using the following Windows versions only:

  • Windows Server 2016
  • Windows 10
  • Windows Server 2012 R2
  • Windows Server 2012

Refer to Windows Help for security audit instructions for all other Windows versions.

FIM requires that you make certain changes to the access permissions of the folders and files you want to monitor.

These instructions require Administrator Privileges on a Windows machine.

To configure FIM for Windows, complete the following actions in order for Windows to send audit object file modification events:

  1. Choose whether to modify the Group Policy Object (GPO) on the Localhost or on an Organization Unit (OU)
  2. Allow security auditing on the folders and files that require monitoring

Not sure which files or folders to monitor?

Check out FIM Recommendations.

Modify the Group Policy Object on the Localhost

You can set the Group Policy Object (GPO) on a domain or as an Organization Unit (OU) on an Active Directory Container for all Windows machines within it. In this example, the instructions will configure the GPO on a single windows server.

To modify the GPO:

  1. In the Start menu on your machine, search and open the Group Policy Editor called gpedit.msc.
  2. In the Local Group Policy Editor, select Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access.
  3. In the right window pane, double-click Audit File System.
  4. In the Audit File System Properties dialog, select only the Success checkbox.
  5. Click Ok.

Your local Group Policy configuration is now complete.

Modify the GPO on an Organization Unit (OU)

In this example, the instructions will configure the GPO on an OU.

To modify the GPO on an OU:

  1. In the Start menu, open Administrative Tools, and then select Group Policy Management.
  2. In the Group Policy Management dialog, select Group Policy Management > Forest > Domains > [Your domain name] > [Your OU].
  3. Right-click the the folder called [Your OU], and then select Create a GPO in this domain, and Link it here.
  4. In the New GPO dialog, enter [Your GPO Name].
  5. Click OK.
  6. In the Group Policy Management dialog, right-click the newly created policy called [Your GPO Name], and then select Edit.
  7. In the Group Policy Management Editor dialog, select Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access.
  8. In the right window pane, select Audit File System.
  9. In the Audit File System Properties dialog, select only the Success checkbox.
  10. Click Ok.

Allow Security Audit

After you configure the GPO and OU, choose which files and folders you want to monitor for file modification events. Review the FIM Recommendations for information on which files and folders you should monitor.

To allow file monitoring for file modification events:

  1. Open Windows Explorer and browse to the location of the file or folder you want to monitor.
  2. Right-click the file or folder, and select Properties at the bottom of the list.
  3. In the Properties dialog, select the Security tab.
  4. Click the Advanced button. The Advanced Security Settings dialog appears.
  5. Select the Auditing tab.
  6. Click the Add button.
  7. In the Auditing Entry dialog, click the Select a principal link. The Select User, Computer, Service Account, or Group dialog appears.
  8. Enter Everyone in the Enter the object name field.
  9. Click the Check Names button. The word Everyone is underlined when the name check is successful.
  10. Click the OK button to close the dialog.
  11. In the Auditing Entry dialog, click the Show advanced permissions link.
  12. Select the following checkboxes:
    • Create files / write data
    • Create folders / append data
    • Delete subfolders and files
    • Delete
  13. Click the OK button to close the Auditing Entry dialog.
  14. Click the OK button in the dialog. A progress bar will appear as the audit configuration is applied to all the files in the directory.

Your security audit is now allowed.

Search for FIM Events

See Search Logs for FIM Events for more information.