Search Logs for FIM Events

After you turn on File Integrity Monitoring (FIM) in InsightIDR and configure your Windows machines for file auditing, your assets will send log data to InsightIDR. These file events are then available to you in the File Modification Activity log set in Log Search, which allows you to take full advantage of the File Integrity Monitoring (FIM) feature.

For example, FIM can help you:

  • Track down which asset is sending too much data.
  • Discover what process is taking up too much CPU.
  • Find out which user account edited a file.
  • Respond quickly to issues with Basic Detection Rules (formerly known as custom alerts).

Depending on your needs, create a log search query using one of the following queries to help you monitor your environment:

Read about the components for building a query or view other Example Queries to help you create custom queries.

FIM Events Per Asset

This log search query shows all of the FIM events happening on your Windows assets with the results grouped by asset. The query is: where(asset_os_family=windows) groupby(asset)

FIM Events by File Name

This log search query shows all of the FIM events happening on your Windows assets with the results grouped by file name. The query is: where(asset_os_family=windows) groupby(file_name) limit(100)

FIM Events by Event Type

This log search query shows all of the FIM events happening on your Windows assets with the results grouped by file event type. The query is: where(asset_os_family=windows) groupby(file_event)

FIM Events from a Single File by User

This log search query shows the users who modified only a single file. The query is: where(asset_os_family=windows AND file_name=<file name>) groupby(user)

FIM Events of a Single File in One Day

This log search query shows the volume of daily events for a single file. The query is: where(asset_os_family=windows AND file_name=<file name>) calculate(COUNT) timeslice(1440m)

Processes on an Asset by Hostname

This log search query shows all of the processes occurring on a single Windows asset. The query is: where(asset_os_family=windows AND asset=<asset name>) groupby(process)

Differences Between FIM and FAAM

Configuring File Integrity Monitoring (FIM) is not the same as configuring File Access Activity Monitoring (FAAM). While FAAM has a similar configuration process using the native Microsoft auditing tools, that is the only similarity they share.

File Integrity Monitoring (FIM)

File Access Activity Monitoring (FAAM)

Individual File/Folder Audit

Yes

No

Microsoft Native Auditing

Yes

Yes

Event ID Collected

Event ID 4663

Event ID 5145

Events Monitored

Modify, write, and delete events only.

All access events

Log Set Name

File Modification Activity

File Access Activity