Overview of File Integrity Monitoring (FIM)


Threat Stack offers File Integrity Monitoring (FIM) as part of the Host Intrusion Detection feature.

This enables continuous security monitoring solution and helps you achieve:

  • Integrated near real-time monitoring of any changes to critical files or directories on all business critical systems with a very low footprint
  • Notifications and alerts for any file modifications events and access events (ex. opened, copy, move, create, viewed and modified)
  • Rich, context-based audit trail with system state context for reducing false positives while maintaining complex compliance requirements
  • Alerting rules for differentiated alerting and notification mechanisms based on the severity of the event, asset value and the context of the event

Base Rule Set Review

Threat Stack provides a library of predefined File Monitoring rules within the Base Rule Set for the most common use cases.  The Base Rule Set includes:

  1. File IconFile: Configuration File Changes
  2. File IconFile: System File Changes
  3. File IconFile: Secret File Opens

The “FFile IconFile: Configuration File Changes” rule monitors changes to your system’s configuration files, specifically the /etc/ directory.

The “File IconFile: System File Changes” rule monitors changes to your system specific files. By default it monitors changes in the following directories:

  • /usr/sbin/
  • /bin/
  • /sbin/
  • /lib/

The “File IconFile: Secret File Opens” rule monitors changes to identified important directories. Threat Stack sets this rule to monitor one directory by default “/home/ubuntu/.aws/”. You can add any important directories to this rule to enable monitoring.

To learn how to add a new directory to the “File IconFile: Secret File Opens” rule, see the ‘Useful Workflows & Processes’ below.

IMPORTANT: The “File IconFile: Configuration File Changes” and the “File IconFile: System File Changes” rules monitor “Modify” events. The "File IconFile: Secret File Opens" rule monitors “Open” events.

Useful Workflows & Processes

You can modify Threat Stack provided rule sets or create additional Rule Sets that are specific to their respective environments, the rules can monitor multiple files, directories or sometimes only monitor a critical file like an application configuration (.conf) file.

Workflows and topics that you might find useful include:

These workflows are not unique to FIM but you can apply the logic and workflow in the RULESETS page.

Add a New Directory to “File IconFile: Secret File Opens”

Follow these instructions to add new directories to the “File IconFile: Secret File Opens” rule within Threat Stack.

NOTE: Threat Stack indicates FIM rules using a File (File Icon) icon.

1) Within the RULESETS tab, go to the Base Rule Set section.

Base Rule Set location within Rulesets page

2) Select the Show More link.


Result: The Base Rule Set section expands to display additional rules.

3) Select File IconFile: Secret File Opens.

Click the Files: Secret File Opens in Base Rule Set section

Result: The File Icon File: Secret File Open information displays on the right side.

File: Secret File Opens rule details display

4) Scroll to the File Paths to Monitor section.

File Paths to Monitor details section

5) Select the Add another path button.

Add Another Path button

Result: A new path field displays

6) Enter the path to monitor.

Empty field for you to enter a path

7) Optional: Check the box indicating you want to monitor it recursively.

NOTE: If you enable recursive monitoring, Threat Stack monitors changes in that specific directory and all of the subdirectories within it.

recursive monitoring checkbox

8) Save your new path by selecting the Update Rule Paths button.

Update Rule Paths button

Result: You created a new path for Threat Stack to monitor!



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.