Search Logs for FIM Events

After you turn on File Integrity Monitoring (FIM) in InsightIDR and configure your Windows machines for file auditing, your assets will send log data to InsightIDR. These file events are then available to you in the File Modification Activity log set in Log Search, which allows you to take full advantage of the File Integrity Monitoring (FIM) feature.

For example, FIM can help you:

  • Track down which asset is sending too much data.
  • Discover what process is taking up too much CPU.
  • Find out which user account edited a file.
  • Respond quickly to issues with Basic Detection Rules (formerly known as custom alerts).

Depending on your needs, create a log search query using one of the following queries to help you monitor your environment:

Read about the components for building a query or view other Example Queries to help you create custom queries.

FIM Events Per Asset

This log search query shows all of the FIM events happening on your Windows assets with the results grouped by asset. The query is: where(asset_os_family=windows) groupby(asset)

FIM events per asset.png

FIM Events by File Name

This log search query shows all of the FIM events happening on your Windows assets with the results grouped by file name. The query is: where(asset_os_family=windows) groupby(file_name) limit(100)

FIM events by file name.png

FIM Events by Event Type

This log search query shows all of the FIM events happening on your Windows assets with the results grouped by file event type. The query is: where(asset_os_family=windows) groupby(file_event)

FIM Events by event type.png

FIM Events from a Single File by User

This log search query shows the users who modified only a single file. The query is: where(asset_os_family=windows AND file_name=<file name>) groupby(user)

FIM Events of a single file by user.png

FIM Events of a Single File in One Day

This log search query shows the volume of daily events for a single file. The query is: where(asset_os_family=windows AND file_name=<file name>) calculate(COUNT) timeslice(1440m)

FIM Events of a File per Day.png

Processes on an Asset by Hostname

This log search query shows all of the processes occurring on a single Windows asset. The query is: where(asset_os_family=windows AND asset=<asset name>) groupby(process)

FIM Events by Process on an Asset by Hostname.png

Differences Between FIM and FAAM

Configuring File Integrity Monitoring (FIM) is not the same as configuring File Access Activity Monitoring (FAAM). While FAAM has a similar configuration process using the native Microsoft auditing tools, that is the only similarity they share.

File Integrity Monitoring (FIM)File Access Activity Monitoring (FAAM)
Individual File/Folder AuditYesNo
Microsoft Native AuditingYesYes
Event ID CollectedEvent ID 4663Event ID 5145
Events MonitoredModify, write, and delete events only.All access events
Log Set NameFile Modification ActivityFile Access Activity