...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
The File Integrity Monitoring (FIM) service provides collection, Topics Discussed
Table of Contents | ||||
---|---|---|---|---|
|
Product Overview
...
The File Integrity Monitoring (FIM) service provides collection, analysis, and notification of changes to critical operating system files, as defined by Armor's FIM policy. Armor utilizes an enterprise-class FIM application and deploys the application agent with the Armor Agent. Armor is responsible for the configuration of the FIM services via remote agent. Configuration includes the application and maintenance of the policies associated with the service. Configuration specific to the local Host or network/environment to enable the service is a Customer responsibility. Armor is responsible for the administration of the FIM service through the Armor Agent. For the purposes of this section, "administration" is defined as the management of licenses and the application used to provide the service and the administration of the underlying FIM platform. Multimedia
...
When traditional firewalls or intrusion detection systems (IDS) fail to prevent or detect a threat, monitoring operating system (OS) and application changes at the host level provides an additional layer of detection for indicators of compromise (IOC) or a breach of your environment. Security teams are largely in the dark to an attacker's presence, activities, and movements without monitoring processes and applications at the host level. Armor FIM watches your hosts 24/7/365 for anomalous and unauthorized activities to detect potential threats. It monitors critical system file locations on your hosts as well as critical OS files for changes that may allow threat actors to control your environment.
...
Note |
---|
To fully use this screen, you must add the following permission to your account:
|
...
|
Enable Trend Sub-Agent
...
As a prerequisite to installing File Integrity Monitoring, you must install the Trend sub-agent. Use the following commands to manage the Trend sub-agent.
...
Info |
---|
You can also manage the Trend sub-agent in the Armor Toolbox. |
Recommendation Scans
...
One of the features available in Agent 3.0 is Recommendation scans. Recommendation scans provide a good starting point for establishing a list of rules that you should implement. During a recommendation scan, the Armor Agent scans the operating system for installed applications, the Windows registry, open ports, and more. To take advantage of Recommendation scans, turn on Ongoing Recommendation scans in the Toolbox.
Info |
---|
Recommendation Scans work in tandem with the Auto-Apply configuration for FIM. The results of the Recommendation Scan can only be applied when Auto-Apply for the FIM service is turned on. |
The commands below can be scheduled as tasks within the Armor Toolbox.
Install Trend Sub-Agent:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend install Linux: /opt/armor/armor trend install |
Uninstall Trend Sub-Agent:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend uninstall Linux: /opt/armor/armor trend uninstall |
Trend Sub-Agent Status:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe trend status Linux: /opt/armor/armor trend status |
Turn On Recommended Scans:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Turn On Recommended Scans:
Code Block |
---|
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan on Linux: /opt/armor/armor trend ongoing-recommendation-scan on |
Turn Off Recommended Scans:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan off Linux: /opt/armor/armor trend ongoing-recommendation-scan off |
Schedule a Recommended Scan (Runs on Next Trend Sub-Agent Heartbeat):
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe trend recommendation-scan Linux: /opt/armor/armor trend recommendation-scan |
Set Recommendation Scan Interval:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend set-recommendation-scan-interval <interval> Linux: /opt/armor/armor set-recommendation-scan-interval <interval> |
Info |
---|
|
Get Recommendation Scan Interval:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend get-recommendation-scan-interval Linux: /opt/armor/armor trend get-recommendation-scan-interval |
Trend Sub-Agent Help
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend help Linux: /opt/armor/armor trend help |
Restart Trend:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe trend service-restart
Linux: /opt/armor/armor trend service-restart |
...
service-restart |
Enable File Integrity Monitoring Service
...
Use the following commands to manage the File Integrity Monitoring service. These commands can be scheduled as tasks within the Armor Toolbox.
Turn On File Integrity Monitoring:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe fim on Linux: /opt/armor/armor fim on Optional Parameters Windows: C:\.armor\opt\armor.exe fim on auto-apply-recommendations=on Linux: /opt/armor/armor fim on auto-apply-recommendations=on Windows: C:\.armor\opt\armor.exe fim on auto-apply-recommendations=off Linux: /opt/armor/armor fim on auto-apply-recommendations=off |
...
Turn Off File Integrity Monitoring:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim off Linux: /opt/armor/armor fim off |
...
File Integrity Monitoring Status:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim status Linux: /opt/armor/armor fim status |
...
List of Assigned FIM Rules on Policy:
...
theme | Midnight |
---|---|
firstline | 1 |
linenumbers | true |
Policy:
Code Block |
---|
Windows: C:\.armor\opt\armor.exe fim list-assigned-rules Linux: /opt/armor/armor fim list-assigned-rules |
...
Assign FIM Rules:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim assign-rules ID Linux: /opt/armor/armor fim assign-rules ID |
...
Un-Assign FIM Rule:
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim unassign-rule ID Linux: /opt/armor/armor fim unassign-rule ID |
...
File Integrity Monitoring Help
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim help
Linux: /opt/armor/armor fim help |
Add Custom Filepath Rule
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | truehelp |
Add Custom Filepath Rule
Code Block |
---|
Windows: C:\.armor\opt\armor.exe fim add-custom-filepath-rule "<name>,<filepath>,<description>" Linux: /opt/armor/armor fim add-custom-filepath-rule "<name>,<filepath>,<description>" |
Info |
---|
Once a rule is added, you must run the Assign FIM Rules command in order for the rule to be applied. |
Update Custom Filepath Rule
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim update-custom-filepath-rule "<id>,<name>,<filepath>,<description>" Linux: /opt/armor/armor fim update-custom-filepath-rule "<id>,<name>,<filepath>,<description>" |
...
Delete Custom Filepath Rule
Code Block | |
---|---|
theme | Midnight |
firstline | 1 |
true | Windows: C:\.armor\opt\armor.exe fim delete-custom-filepath-rule "<id>" Linux: /opt/armor/armor fim delete-custom-filepath-rule "<id>" |
...
Get Custom Filepath Rule
Code Block | |
---|---|
theme | Midnight |
firstline | 1 | linenumbers | true
Windows: C:\.armor\opt\armor.exe fim get-custom-filepath-rule "<id>"
Linux: /opt/armor/armor fim get-custom-filepath-rule "<id>" |
...
" |
View FIM Data
...
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click File Integrity Monitoring.
Column | Description |
---|---|
Name | For Armor |
Enterprise Cloud, the name of the virtual machine you created in AMP. For Armor Anywhere, the name of the instance that contains the installed Anywhere agent, which includes the FIM sub-agent. | |
Provider | For Armor |
Enterprise Cloud, the entry will display Armor. For Armor Anywhere, the name of the public cloud provider for the instance. | |
Status | The health status of the sub-agent, which is based on how long the FIM sub-agent has been offline. There are three status types:
|
Connectivity | The connection status of the sub-agent. There are three connection types:
|
Timestamp | The date and time that the FIM sub-agent |
The date and time that the FIM sub-agent last communicated with Armor.
Info |
---|
To learn how the overall FIM status is determined, see Understand FIM data. |
...
last communicated with Armor. |
Info |
---|
To learn how the overall FIM status is determined, see Understand FIM data. |
Understand FIM Data
...
In the File Integrity Monitoring screen, the dashboard displays the various FIM statuses of your virtual machines (or hosts):
Green indicates a virtual machine in a Secured FIM status.
Yellow indicates a virtual machine in a Warning FIM status.
Red indicates a virtual machine in a Critical FIM status.
Armor determines the status of FIM based on how long FIM has been offline.
If FIM is offline for 2 to 7 days, then the FIM status changes from Secured to Warning.
If FIM is offline for 8 days or more, then the FIM status changes from Warning to Critical.
Length of offline status | Security Status |
---|---|
2 to 7 days | Warning |
8 days or more | Critical |
Note |
---|
The overall status of your virtual machine is based on the individual status of your virtual machine's subcomponents, including FIM. |
View Detailed FIM Data
...
The File Integrity Monitoring detailsscreen displays the changes that has been detected in certain files in your virtual machine. This screen only shows data for the last 90 days.
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click File Integrity Monitoring.
Locate and select the desired virtual machine.
...
Column | Description |
---|---|
Filename | The name of the file where a change was detected. |
Description | A short summary of the change that took place. |
Change Type | The type of change that took place in the file. |
Scan Date | The date when the change was |
...
detected. |
Export FIM Data
...
To export the data:
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click File Integrity Monitoring.
(Optional) Use the filter function to customize the data displayed.
Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set).
...
FUNCTION |
---|
...
DATA DISPLAYED |
---|
...
NOTES | ||
---|---|---|
CSV | VM Name, VM Provider, IP Address, OS, FIM Agent Status Fixed, FIM Agent Version, FIM Last Communication Date | A blank entry indicates that the action has never taken place. |
...
Info | |
---|---|
Anchor | |
Troubleshoot FIM | Troubleshooting
...
Log Search for File Integrity Monitoring
...
Users can search for FIM events in Log Search. For instructions on how to access and use Log Search, please see our documentation here.
An example of FIM logs can be seen below:
...
For a full list of Log Search fields and descriptions, please visit our glossary here.
Frequently Asked Questions
...
What kind of activity does File Integrity Monitoring look for? | Changes to critical OS file sand processes such as directories, registry keys, and values. It also watches for changes to application files, rogue applications running on the host, and unusual process and port activity and system incompatibilities. |
What happens with events that are detected by File Integrity Monitoring? | Events are analyzed and correlated with event data from your other devices under Armor management through our threat prevention and response platform, delivering enhanced detection of potential threats across your cloud, on-premise, hybrid, and hosted environments. |
...
Topics Discussed
...