File and Registry Integrity Monitoring

FIM rules are not persistent. This means that once an asset restarts, the rules will be gone. The recommended way of managing rule application is to use Detection & Response rules in a similar way to managing events sent to the cloud.

A sample D&R rule is available here.

Note that instead of using the fim_add and fim_del commands directly it is recommended to use the Integrity extension available through the web UI and REST interface.

fim_add

Add a file or registry path pattern to monitor for modifications.

Platforms:
(see this for notes on Linux support)

Response Event:
FIM_ADD

Patterns include basic wildcards:

• for one character: ?
• for at least one character: +
• for any number of characters: *
• escape character: \

Note that the pattern is not a string literal, therefore "" needs to be escaped by one more level than usual.

So for example, you could do:

• ?:\*\Programs\Startup\*
• \REGISTRY\*\Microsoft\Windows\CurrentVersion\Run*

Which would result in: fim_add --pattern "?:\*\Programs\Startup\*" --pattern "\REGISTRY\*\Microsoft\Windows\CurrentVersion\Run*"

Usage:

usage: fim_add [-h] --pattern PATTERNS

optional arguments:
  --pattern PATTERNS  file path or registry path pattern to monitor

fim_del

Remove a pattern from monitoring.

Platforms:
(see this for notes on Linux support)

Response Event:
FIM_DEL

usage: fim_del [-h] --pattern PATTERNS

optional arguments:
  --pattern PATTERNS  file path or registry path pattern to stop monitoring

fim_get

Get the list of the current monitored pattern(s).

Platforms:
(see this for notes on Linux support)

Response Event:
FIM_LIST_REP

usage: fim_get [-h]