- 13 Feb 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
File and Registry Integrity Monitoring
- Updated on 13 Feb 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
FIM rules are not persistent. This means that once an asset restarts, the rules will be gone. The recommended way of managing rule application is to use Detection & Response rules in a similar way to managing events sent to the cloud.
A sample D&R rule is available here.
Note that instead of using the fim_add
and fim_del
commands directly it is recommended to use the Integrity extension available through the web UI and REST interface.
fim_add
Add a file or registry path pattern to monitor for modifications.
Platforms:
(see this for notes on Linux support)
Response Event:
FIM_ADD
Patterns include basic wildcards:
- for one character:
?
- for at least one character:
+
- for any number of characters:
*
- escape character:
\
Note that the pattern is not a string literal, therefore "" needs to be escaped by one more level than usual.
So for example, you could do:
?:\*\Programs\Startup\*
\REGISTRY\*\Microsoft\Windows\CurrentVersion\Run*
Which would result in: fim_add --pattern "?:\*\Programs\Startup\*" --pattern "\REGISTRY\*\Microsoft\Windows\CurrentVersion\Run*"
Usage:
usage: fim_add [-h] --pattern PATTERNS
optional arguments:
--pattern PATTERNS file path or registry path pattern to monitor
fim_del
Remove a pattern from monitoring.
Platforms:
(see this for notes on Linux support)
Response Event:
FIM_DEL
usage: fim_del [-h] --pattern PATTERNS
optional arguments:
--pattern PATTERNS file path or registry path pattern to stop monitoring
fim_get
Get the list of the current monitored pattern(s).
Platforms:
(see this for notes on Linux support)
Response Event:
FIM_LIST_REP
usage: fim_get [-h]