Capabilities of File Integrity Monitoring

Follow

Example Commands and Alerts

Testing your rules allows you to verify that your system is configured properly in Threat Stack.

Threat Stack can monitor file:

  • Creation
  • Opening
  • Modifying
  • Closing
  • Deleting

How do I test the FIM rules?

You can test FIM by changing the performing the above actions (examples below) on files within monitored directories. If you need help understanding which directories Threat Stack monitors, refer to this document.

NOTE: This is a limited list of commands to give you an idea of ways to test FIM within Threat Stack.

Command line Explanation Example Event Types
vi [filename]

Opens the file with the vi text editor

‘access’, ‘open’, and ‘close’
echo [enter text] > secret file

Takes texts and add it to the end of a file.

‘modify’, ‘close’, ‘write’ and ‘open’ event
wget

Downloads a file from the internet.

‘modify’, ‘open’, ‘close’, and ‘write’ event
curl

Downloads a file from the internet.

‘modify’, ‘open’, ‘close’, and ‘write’ event
scp outsidehost:/file secretfile Copies a file from an outside host to your system. ‘open’, ‘modify’, ‘close’, and ‘write’ event
scp secretfile outsidehost:/file

Takes a file from your system and copies it to an outside host.

‘open’, ‘access’, and ‘close’ event

Example

Running the “vi” command to trigger an event and alert.

  1. Choose a file that should be monitored within Threat Stack
  2. Navigate to that file’s directory
  3. Type ‘vi [filename]’
  4. Result: File opens in vi
  5. To exit vi enter “:q”

NOTE: FIM events can take up to a minute to display within the Threat Stack system.

Where can I view my results?

1) Go to the ALERTS tab
2) Select the Sev 3 tab to display Severity 3 alert

Result: You should see an alert for the event that you triggered.

Severity 3 Alert Triggered

What if I don’t see an alert for the event?

Check out the FIM Troubleshooting Guide or contact support.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.