Search Logs for FIM Events
After you turn on File Integrity Monitoring (FIM) in InsightIDR and configure your Windows machines for file auditing, your assets will send log data to InsightIDR. These file events are then available to you in the File Modification Activity log set in Log Search, which allows you to take full advantage of the File Integrity Monitoring (FIM) feature.
For example, FIM can help you:
- Track down which asset is sending too much data.
- Discover what process is taking up too much CPU.
- Find out which user account edited a file.
- Respond quickly to issues with Basic Detection Rules(formerly known as custom alerts).
Depending on your needs, create a log search query using one of the following queries to help you monitor your environment:
- FIM events per asset
- FIM events by file name
- FIM events from a single file, grouped by user
- FIM Events of a Single File in One Day
- FIM Processes on an asset, grouped by hostname
Read about the components for building a query or view other Example Queries to help you create custom queries.
FIM Events Per Asset
This log search query shows all of the FIM events happening on your Windows assets with the results grouped by asset. The query is: where(asset_os_family=windows) groupby(asset)
FIM Events by File Name
This log search query shows all of the FIM events happening on your Windows assets with the results grouped by file name. The query is: where(asset_os_family=windows) groupby(file_name) limit(100)
FIM Events by Event Type
This log search query shows all of the FIM events happening on your Windows assets with the results grouped by file event type. The query is: where(asset_os_family=windows) groupby(file_event)
FIM Events from a Single File by User
This log search query shows the users who modified only a single file. The query is:
where(asset_os_family=windows AND file_name=<file name>) groupby(user)
FIM Events of a Single File in One Day
This log search query shows the volume of daily events for a single file. The query is:
where(asset_os_family=windows AND file_name=<file name>) calculate(COUNT) timeslice(1440m)
Processes on an Asset by Hostname
This log search query shows all of the processes occurring on a single Windows asset. The query is:
where(asset_os_family=windows AND asset=<asset name>) groupby(process)
Differences Between FIM and FAAM
Configuring File Integrity Monitoring (FIM) is not the same as configuring File Access Activity Monitoring (FAAM). While FAAM has a similar configuration process using the native Microsoft auditing tools, that is the only similarity they share.
File Integrity Monitoring (FIM) | File Access Activity Monitoring (FAAM) | |
|---|---|---|
Individual File/Folder Audit | Yes | No |
Microsoft Native Auditing | Yes | Yes |
Event ID Collected | Event ID 4663 | Event ID 5145 |
Events Monitored | Modify, write, and delete events only. | All access events |
Log Set Name | File Modification Activity | File Access Activity |