InsightIDR

FIM Recommendations

When you enable File Integrity Monitoring, you can only monitor a specific set of extensions to prevent data collection overload on both the Insight Agent and InsightIDR. Files (such as log files) that are frequently changed by applications or the operating system are “noisy” and make it difficult for InsightIDR to identify an attack because they produce an overabundance of events.

InsightIDR allows you to monitor the following extensions:

  • .bat
  • .cfg
  • .conf
  • .config
  • .dll
  • .exe
  • .ini
  • .sys

InsightIDR will “ignore” any other files you configure for monitoring that do not have one of the allowed extensions. However, you can request that certain file extensions are whitelisted if you determine that they are necessary for your organization.

To request an extension whitelist, contact support.

FIM Shut Off Warning

In the unlikely event that you send too much data with FIM, Rapid7 will contact you to reach an amicable solution. If you do not respond, Rapid7 reserves the right to shutdown FIM transmissions to the Insight platform.

FIM Considerations

As you monitor more files and folders, CPU usage increases proportionally.

Do not monitor all available file events. Recall that InsightIDR FIM only monitors for the following events, and will ignore all other events from the Insight Agent:

  • Create files / write data
  • Create folders / append data
  • Delete subfolders and files
  • Delete

Monitoring Recommendations

The intent of FIM is to track and audit file modifications solely on critical business files on critical systems only. Rapid7 recommends not monitoring from C:\ recursively.

Rapid7 recommends monitoring the Windows Microsoft Critical System Files, which include:

  • C:\autoexec.bat
  • C:\boot.ini
  • C:\config.sys
  • C:\Program Files\Microsoft Security Client\msseces.exe
  • C:\Windows\explorer.exe
  • C:\Windows\regedit.exe
  • C:\Windows\system.ini
  • C:\Windows\System32\userinit.exe
  • C:\Windows\win.ini

FIM Recommendations


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.