File Integrity Monitoring Troubleshooting Suggestions

If you set up FIM and you can’t see events that trigger alerts in Threat Stack, consider these troubleshooting suggestions or contact support.

  1. Ensure server is assigned to rule set
  2. Confirm specific rule is enabled
  3. Confirm the rule is monitoring the expected directory and event type
  4. Ensure no suppression is preventing the alert from firing
  5. Verify the rule reached the agent
  6. Verify FIM events are appearing on the Events page (only for investigate users)

Is the Rule Set Applied to the Server?

To confirm that Threat Stack can monitor the correct directory:

1) Navigate to the SERVERS page.
2) Select the server.
3) Verify the correct rule set displays in the Rulesets column.Server details including Base Rule Set

Confirm the Rule is Enabled

Navigate to the rule set and ensure the rule is enabled.

1) Navigate to the RULESETS page.

NOTE: You can also accomplish this by clicking the Rule Set button on the SERVERS page.

Rulesets Page

2) Select the [xxxx] rule set.

NOTE: We are showing the Base Rule Set for this example. You can apply this procedure to other rule sets as well.

3) Click the Show More link.

Base Rule Set - Show More link
Result: An extended list of rules displays.
4) Select a [rule].

Select rule, example Files: Secret File Opens
Result: [rule] details displays.
5) Confirm that you have the rule enabled.

Confirm rule is enabled
NOTE: Disabled rules display grayed out and at the bottom of the rule set they belong in.

Disabled rules grayed out

Confirm the Rule is Monitoring the Expected Directory and Event Type

To inspect the rule and confirm the rule monitors the expected directory and event type(s).

NOTE: Steps 1-4 are not pictured because they are the same as steps 1-4 in "Confirm the Rule is Enabled".

1) Navigate to the RULESETS page.
2) Select the [xxxx] rule set.
NOTE: We are showing the Base Rule Set for this example. You can apply this procedure to other rule sets as well.
3) Click the Show More link.
Result: An extended list of rules displays.
4) Select a [rule].
Result: [rule] details displays.
5) Scroll to the File Paths to Monitor section and confirm that the rule monitors the expected directory and event type(s).

Confirm File Paths

Confirm No Suppressions Block Alerts from Firing

There could be a suppression that blocks the alert from displaying the event. To confirm that you do not have a suppression blocking an alert, follow these steps:

NOTE: Steps 1-4 are not pictured because they are the same as steps 1-4 in "Confirm the Rule is Enabled".

1) Navigate to the RULESETS page.
2) Select the [xxxx] rule set.
NOTE: We are showing the Base Rule Set for this example. You can apply this procedure to other rule sets as well.
3) Click the Show More link.
Result: An extended list of rules displays.
4) Select a [rule].
Result: [rule] opens and displays on the right side of the page.
5) Scroll to the Suppression section. Review the related suppressions and confirm none of them block your ability to produce an alert.

Rule Set suppressions

Verify that the Rule Reached the Agent

  1. Connect to your instance.
  2. Navigate to the following directory “/opt/threatstack/etc/”.
  3. Open the "tsfim.config.json" file.
  4. Within this file, under the watcher’s key find the directories key.
    • It’s value should be a list of the monitored directories.
  5. Confirm that your directory displays on this monitored list.
    • NOTE:  If you choose to monitor an individual file instead, or in addition, to a directory then it will display in the files key instead of the directories key.

Example

The rule “Files: Secret File Opens has ”Threat Stack monitor the "/fintesting/" and "/home/ubuntu/.aws/" directories. Threat Stack does not monitor any individual files because the rule does not call for monitoring.

Verify that the Rule Reached Agent

Investigate Plan Only - Confirm that Events Generate and they are Searchable in Threat Stack

In the Investigate plan, you can confirm that Threat Stack can search for the correct events.

NOTE: The EVENTS page only displays if you have the Investigate plan.

1) Navigate to the EVENTS page.

Events page
2) In the Search field enter "‘event _type=”file”’".

NOTE: File refers to a FIM event on the Threat Stack system.

Event search field

3) Click the Date & Time button.

Date Range button

Result: The Date & Time popup displays.

4) Click the Quick Jump link and select the appropriate time period.

Quick Jump URL

5) Select the time period.
IMPORTANT: Selecting the time period triggers the search in Threat Stack.

select time range
Result: Related files display - unless no related files exist.
6) Confirm that files display.
NOTE: Files will display unless no files exist or there is a misspelling in the search query. 

View search results

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.