File Integrity Monitoring Troubleshooting Suggestions

If you have configured File Integrity Monitoring (FIM) but are unable to view events that trigger alerts in Threat Stack, consider these troubleshooting suggestions or contact support.

  1. Ensure your server is assigned a ruleset.
  2. Confirm the specific rule is enabled.
  3. Confirm the rule is monitoring the expected directory and event type.
  4. Ensure no suppression is preventing the alert from triggering.
  5. Verify the rule reached the Agent.
  6. Verify FIM events are appearing on the Events page.
  7. Ensure the server does not run CentOS or RHEL 6 (RHEL 6 and CentOS specific FAQ).
Is the Ruleset Applied to the Server?

You can ensure Threat Stack is monitoring the right server.

  1. In the left navigation pane, click the Servers tab.
  2. Select the server from the list.
  3. Verify the correct ruleset displays in the Summary pane.


Servers_page.png

Note

In this example, a Base Rule Set was assigned to the server named "instance-1".

Confirm the Rule is Enabled

Navigate to the ruleset and ensure the rule is enabled.

  1. In the left navigation pane, click the Rules tab.


    Rulesets_page.png

    Note

    You can also navigate to the ruleset from the Servers page.

  2. Select a ruleset from the list.


    Base_ruleset_selected.png

    Note

    In this example, the Base Rule Set was selected.

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select a rule from the list.


    Additional_rule_selected.png

    Note

    In this example, the Files: Secret File Opens rule is selected.

  5. Confirm the rule is enabled.


    Confirm_rule_enabled.png

    Note

    Disabled rules will be grayed out and listed at the bottom of the ruleset they belong to.

Confirm the Rule is Monitoring the Expected Directory and Event Type

You can inspect the rule and confirm the rule monitors the expected directory and event type(s).

  1. In the left navigation pane, click the Rules tab.


    Rulesets_page.png

    Note

    You can also navigate to the ruleset from the Servers page.

  2. Select a ruleset from the list.


    Base_ruleset_selected.png

    Note

    In this example, the Base Rule Set was selected.

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select a rule from the list.


    Additional_rule_selected.png

    Note

    In this example, the Files: Secret File Opens rule is selected.

  5. Click the File Paths link.


    File_paths_link.png

  6. In the right view pane, the File Paths to Monitor screen is displayed. Confirm the rule is monitoring the expected directory and event type(s), by reviewing the File Integrity Paths field and the Events To Monitor field.


    File_paths_to_monitor_pane.png

Confirm No Suppressions are Preventing Alerts from Triggering

There could be a suppression preventing an alert from displaying an event. You can confirm whether a suppression is enabled within a rule.

  1. In the left navigation pane, click the Rules tab.


    Rulesets_page.png

    Note

    You can also navigate to the ruleset from the Servers page.

  2. Select a ruleset from the list.


    Base_ruleset_selected.png

    Note

    In this example, the Base Rule Set was selected.

  3. Click the Show More link to display additional rules.


    Show_more_link.png

  4. Select a rule from the list.


    Additional_rule_selected.png

    Note

    In this example, the Files: Secret File Opens rule is selected.

  5. Click the Suppressions link.


    Suppressions_link.png

  6. In the right view pane, the Suppressions screen is displayed. Review the related suppressions and confirm they do not interfere with your ability to generate an alert.


    Suppressions_pane.png

Confirm the Rule Reached the Agent
  1. Connect to your instance.
  2. Navigate to the following directory: /opt/threatstack/etc/.
  3. Open the tsfim.config.json file.
  4. Within this file, under the watcher’s key find the directories key.
    • Its value should be a list of the monitored directories.
  5. Confirm your directory displays on this monitored list.

    Note

    If you choose to monitor an individual file instead, or in addition to a directory, then it will display in the files key instead of the directories key.

Example

The “Files: Secret File Opens" rule has Threat Stack monitor the "/fimtesting/" and "/home/ubuntu/.aws/" directories. Threat Stack does not monitor any individual files because the rule does not call for monitoring.


Verify_Rule_Reached_Agent.png

Confirm Events are Generated and Searchable in Threat Stack

You can confirm whether the right events are searchable in the Threat Stack Cloud Security PlatformⓇ (CSP).

  1. In the left navigation pane, click the Events tab. All raw events are displayed.


    Events_page.png

  2. In the Search field, enter the following:
    event_type = "file"


    Event_type_search.png

    Note

    File refers to a FIM event in the Threat Stack CSP.

  3. Click the Date and Time drop-down menu.


    Select_date_and_time.png

  4. The date and time dialog displays. Click the Quick Jump link.


    Quick_jump_link.png

  5. Select your desired time period from the available options.


    Quick_jump_time.png

    Note

    Selecting the time period triggers the search in Threat Stack.

  6. A list of events is displayed.


    Event_search_results.png

    Note

    If no search results display, ensure there is no misspelling in your search criteria or select a different time frame.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request