Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Topics Discussed

Table of Contents
maxLevel4
minLevel3

Product Overview

...

The File Integrity Monitoring (FIM) service provides collection, analysis, and notification of changes to critical operating system files, as defined by Armor's FIM policy. Armor utilizes an enterprise-class FIM application and deploys the application agent with the Armor Agent. Armor is responsible for the configuration of the FIM services via remote agent. Configuration includes the application and maintenance of the policies associated with the service. Configuration specific to the local Host or network/environment to enable the service is a Customer responsibility. Armor is responsible for the administration of the FIM service through the Armor Agent. For the purposes of this section, "administration" is defined as the management of licenses and the application used to provide the service and the administration of the underlying FIM platform.

...

Info

You can also manage the Trend sub-agent in the Armor Toolbox.

Recommendation Scans

...

One of the features available in Agent 3.0 is Recommendation scans. Recommendation scans provide a good starting point for establishing a list of rules that you should implement. During a recommendation scan, the Armor Agent scans the operating system for installed applications, the Windows registry, open ports, and more. To take advantage of Recommendation scans, turn on Ongoing Recommendation scans in the Toolbox.

Info

Recommendation Scans work in tandem with the Auto-Apply configuration for FIM. The results of the Recommendation Scan can only be applied when Auto-Apply for the FIM service is turned on.

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click File Integrity Monitoring.

Column

Description

Name

For Armor's private cloud, the name of the virtual machine you created in AMP.

For Armor Anywhere, the name of the instance that contains the installed Anywhere agent, which includes the FIM sub-agent.

Provider

For Armor's private cloud, the entry will display Armor.

For Armor Anywhere, the name of the public cloud provider for the instance.

Status

The health status of the sub-agent, which is based on how long the FIM sub-agent has been offline.

There are three status types:

  • Secured (in green)

  • Warning (in yellow)

  • Critical (in red)

Connectivity

The connection status of the sub-agent.

There are three connection types:

  • Online indicates that the sub-agent is online.

  • Offline indicates that the sub-agent is currently offline.

  • Needs Attention indicates that the sub-agent has not communicated with Armor.

Timestamp

The date and time that the FIM sub-agent last communicated with Armor.

Info

To learn how the overall FIM status is determined, see Understand FIM data.

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click File Integrity Monitoring.

  3. Locate and select the desired virtual machine.

Column

Description

Filename

The name of the file where a change was detected.

Description

A short summary of the change that took place.

Change Type

The type of change that took place in the file.

Scan Date

The date when the change was detected.


Export FIM Data

...

To export the data:

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click File Integrity Monitoring.

  3. (Optional) Use the filter function to customize the data displayed.

  4. Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).

    Function

FUNCTION

...

DATA DISPLAYED

...

NOTES

CSV

VM Name, VM Provider, IP Address, OS, FIM Agent Status Fixed, FIM Agent Version, FIM Last Communication Date

A blank entry indicates that the action has never taken place.

Info

Troubleshooting

Armor troubleshoots servers that contain File Integrity Monitoring sub-components in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

  1. In the Armor Management Portal (AMP), click Support, and then click Tickets.

  2. Click Create a Ticket.

  3. Select or search for the desired category for your ticket request type.

  4. Complete the missing fields.

    1. In Description, enter useful details that can help Armor quickly troubleshoot the problem.

  5. Click Create.

  6. To view the status of your ticket, in the left-side navigation, click Support, and then click Tickets.

...

An example of FIM logs can be seen below:

...

For a full list of Log Search fields and descriptions, please visit our glossary here.

Frequently Asked Questions

...

What kind of activity does File Integrity Monitoring look for?

Changes to critical OS file sand processes such as directories, registry keys, and values. It also watches for changes to application files, rogue applications running on the host, and unusual process and port activity and system incompatibilities.

What happens with events that are detected by File Integrity Monitoring?

Events are analyzed and correlated with event data from your other devices under Armor management through our threat prevention and response platform, delivering enhanced detection of potential threats across your cloud, on-premise, hybrid, and hosted environments.

Topics Discussed

...