InsightIDR

File Integrity Monitoring

File Integrity Monitoring (FIM) allows you to audit changes to critical files and folders for compliance reasons.

FIM only tracks file event logs when a file is edited, moved, or deleted. See FIM Recommendations for specific file extensions you can monitor.

FIM does not track reads or permission changes, nor does it monitor the create, modify, or delete activities of symbolic links or hard links.

When you enable FIM, InsightIDR communicates with the Insight Agent to directly attribute users to file modification activity. You can create alerts based on certain file log events to notify you when one of your users modifies a critical file or folder.

To take advantage of FIM:

Requirements

You must be using Insight Agent Version 2.3.0.14 or newer.

The FIM configuration instructions were created using the following Windows versions only:

  • Windows Server 2016
  • Windows 10
  • Windows Server 2012 R2
  • Windows Server 2012

Please refer to Windows Help for security audit instructions for all other Windows versions.

Turn on FIM in InsightIDR

Before you enable your assets to send log events to InsightIDR, you must turn on the FIM feature.

To turn on FIM:

  1. Navigate to InsightIDR.
  2. Select Settings on the lefthand navigation menu.
  3. Select File Integrity Monitoring from the list of options.
  4. Toggle on the Enable button.

Configure File Integrity Monitoring

FIM requires that you make certain changes to the access permissions of the folders and files you want to monitor. At this time, FIM is only available for Windows machines.

These instructions require Administrator Privileges on a Windows machine.

To configure FIM for Windows, complete the following actions in order for Windows to send audit object file modification events:

  1. Modify the Group Policy Object (GPO) on the Localhost
  2. Modify the GPO on an Organization Unit (OU)
  3. Enable security auditing on the folders and files that require monitoring

Not sure which files or folders to monitor?

Modify the Group Policy Object on the Localhost

You can set the Group Policy Object (GPO) on a domain, or as an Organization Unit (OU) on an Active Directory Container for all Windows machines within it. In this example, the instructions will configure the GPO on a single windows server.

To modify the GPO:

  1. In the Start menu, search and open the Group Policy Editor called “gpedit.msc.”
  1. In the “Local Group Policy Editor,” select Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access.
  2. In the right window pane, double-click Audit File System.
  1. In the “Audit object access Properties” dialog, only check the Success checkbox.
  2. Click Ok.

Your local Group Policy configuration is now complete.

Modify the GPO on an Organization Unit (OU)

In this example, the instructions will configure the GPO on an OU.

To modify the GPO on an OU:

  1. In the Start menu, open “Administrative Tools,” then double click on the Group Policy Management.
  1. In the “Group Policy Management” dialog, select Group Policy Management > Forest > Domains > [Your domain name] > [Your OU].
  2. Right click on the folder called [Your OU]. Click the menu option Create a GPO in this domain, and Link it here.
  1. In the New GPO dialog, enter [Your GPO Name].
  2. Click OK.
  1. In the “Group Policy Management” dialog, right-click the newly created policy called [Your GPO Name].
  1. Select the menu option Edit.
  2. In the Group Policy Management Editor dialog, select Computer Configuration > Policies > Windows Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access.
  3. In the right window pane, double-click Audit File System.
  1. In the “Audit File System Properties” dialog, only check the Success checkbox.
  2. Click Ok.

Enable Security Audit

After you configure the GPO and OU, choose which files and folders you want to monitor for file modification events. Review the following recommendations for files and folders you should monitor: FIM Recommendations.

To enable file monitoring for file modification events:

  1. Open Windows Explorer and browse to the location of the file or folder you want to monitor.
  2. Right click on the file or folder and select Properties at the bottom of the list.
  1. In the "Properties" dialog, select the Security tab.
  2. Click the Advanced button. The “Advanced Security Settings” dialog appears.
  1. Select the Auditing tab.
  2. Click the Add button.
  1. In the “Auditing Entry” dialog, click the Select a principal link. The “Select User, Computer, Service Account, or Group” dialog appears.
  1. Enter “Everyone” in the “Enter the object name” field.
  2. Click the Check Names button. The word “Everyone” is underlined when the Name Check is successful.
  1. Click the OK button to close the dialog.
  2. In the “Auditing Entry” dialog, click the Show advanced permissions link.
  3. Check on the following checkboxes:
    • Create files / write data
    • Create folders / append data
    • Delete subfolders and files
    • Delete
  1. Click the OK button to close the “Auditing Entry” dialog.
  1. Click the OK button in the “WHICH” dialog. A progress bar will appear as the Audit configuration is applied to all the files in the directory.

Your security audit is now enabled.

Search for FIM Events

See Search Logs for FIM Events for more information.