File Integrity Monitoring - Monitoring changes to files and folders


File Integrity Monitoring is a feature that helps you monitor all changes (addition/deletion/modification) to your Windows system files and folders. You can generate and schedule reports that give you precise details on the integrity of your files. You can also trigger alerts in real-time when changes are made to specific files or folders, by setting up alert profiles.

 

Requisites for file monitoring

 

Configuring File Integrity Monitoring

To configure File Integrity Monitoring, go to

  • Home tab > File Monitoring > Actions: Add (above the Monitoring list), or
  • Settings tab > Configurations: File Monitoring > Add

     

  1. If you want to monitor the files/folders in a location that is same across various devices, then you can save the location as a template and assign it to a number of devices.

  2. In the 'Assign device' field, you can either select the device from the auto-complete list or type the device name whose files/folders are to be monitored. You can select/enter multiple devices only if the files/folders are in the same location across all the devices.

  3. In the 'Location(s)/File(s)' field, type the location (absolute path) of the files/folders which need to be monitored. Alternatively you can also import a text file that contains the location by clicking on the Import button. Select Enable Settings if you wish to additionally track which users make changes to the files and folders you are monitoring.

  1. 'Exclude' provides you an option to exclude certain sub-folders (contained in the folder you have specified above) from monitoring. Specify their location in this field.

  2. Save the configuration by clicking on 'Save Monitoring'.

Note: 
1. If an agent is already installed in the device whose files you want to monitor, file monitoring will automatically be enabled in the agent. 

2. For versions prior to Build #8050, if you are already using an agent for log collection, it will be uninstalled and a version 8050 agent will be installed.

3. If no agent is installed in the device for which you want to monitor the files, then an agent will be installed and file monitoring will be enabled in the agent.

 

Importing Text File

Importing Locations - FIM

  1. Browse for and select the text file that contains the location of the files/folders that are to be monitored.

  2. Click on Import to import the text file.

 

Enable Settings

 

Enabling Username via Object Access is a resource intensive process.

 

 

 

File Integrity Monitoring Dashboard

Once you have configured devices for monitoring, you can access the File Integrity Monitoring dashboard which is a section of the Home tab in EventLog Analyzer.

FIM Dashboard

  1. This graph presents an overview of all changes made to the added files and folders.

  2. This table displays the changes made on each device.

With the +Add Alert option, you can trigger an alert whenever changes occur to the files and folders added. 

Generating and Scheduling Reports for File Monitoring

To generate file monitoring reports, click on a device that has the files/folders for which you need the report. This will open up the File monitoring Report page.

Upon clicking on any particular device, you can view the corresponding File Integrity Monitoring Report which has a graph and table displaying changes made to individual files/folders.

  1. The File Integrity Monitoring report of particular device can be exported in PDF/CSV format by clicking on this icon.
  2. In the Criteria section you have the Location Filter and Save Report options.
  1. Location filter allows you to filter the location of the files/folders that are being monitored on that device.
  2. You can save the report and schedule it at regular intervals:

  1. Provide the name for the report and the location where the report is to be saved.
  2. For Scheduling the report at regular intervals:
Note:
>> You change the working and non-working hour settings in the Settings panel.
>> Before redistributing the report through email, ensure an email server is configured​.

 

  1. The graphical dashboard gives you the Event Count corresponding to the Change type. You can drill down to raw logs from this graph.
  2. The FIM Reports table gives you detailed information on changes in the file(s)/folder(s). It gives you the file location, user who made the change, change type (file creation, file deletion, modification, rename) and the time of change. You can drill down to raw logs from this table.

Setting up an alert for File Integrity Monitoring

With EventLog Analyzer, you can trigger an alert when any changes occur to the files/folders being monitored.

FIM-Alert

  1. Provide a unique name for your alert profile.

  2. Choose the criticality level from High, Medium and Low for the alert profile.

  3. A File Integrity Monitoring alert can only be set up in a device where file integrity monitoring has been configured. Only those devices will be available for selection, in the 'Select Device/Group' field. You can select the Windows device group as such to configure the alert for all the devices added for monitoring. You can also select individual devices as per your requirement.

  4. You can trigger the alert for any creation, deletion, modification or rename in the files/folders added for monitoring. The Location(s) field, narrows down your alerting criteria. Instead of generating alerts for changes in the entire file/folder, you can specify that the alert is to be triggered for changes in any sub-files/sub-folders of the location specified in this field.

Note: When you have set up the alert for multiple devices, ensure that the location of the file/folder you specified exists and is same for all the devices.

  1. The triggered alert can be sent via Email or SMS. You can also remediate the alert condition by running a script using the Run Program option. Before setting up the alert notification, you need to configure the Email and SMS settings.

Click on the Add Alert Profile button to save the alert profile.

Get download link