File Integrity Monitoring (FIM) allows you to audit changes to critical files and folders for compliance reasons on Windows systems running agent version 22.214.171.124 or later. When you enable FIM, you can only monitor a specific set of extensions to prevent data collection overload on both the Insight Agent and InsightIDR. Files (such as log files) that are frequently changed by applications or the operating system are “noisy” and make it difficult for InsightIDR to identify an attack because they produce an overabundance of events.
InsightIDR allows you to monitor the following extensions:
InsightIDR will “ignore” any other files you configure for monitoring that do not have one of the allowed extensions. However, you can request that certain file extensions are whitelisted if you determine that they are necessary for your organization.
To request an extension whitelist, contact support.
FIM Shut Off Warning
In the unlikely event that you send too much data with FIM, Rapid7 will contact you to reach an amicable solution. If you do not respond, Rapid7 reserves the right to shutdown FIM transmissions to the Insight platform.
As you monitor more files and folders, CPU usage increases proportionally.
Do not monitor all available file events. Recall that InsightIDR FIM only monitors for the following events, and will ignore all other events from the Insight Agent:
- Create files / write data
- Create folders / append data
- Delete subfolders and files
The intent of FIM is to track and audit file modifications solely on critical business files on critical systems only. Rapid7 recommends not monitoring from C:\ recursively.
Rapid7 recommends monitoring the Windows Microsoft Critical System Files, which include:
- C:\Program Files\Microsoft Security Client\msseces.exe