1. F5 Distributed Cloud App Infrastructure Protection (AIP) Support
  2. User Guides
  3. File Integrity Monitoring

File Transfer Protocol & FIM FAQ

Introduction

This page includes frequently asked questions F5 Distributed Cloud App Infrastructure Protection (AIP) has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).

How Do I Use FIM To Monitor a FTP?

You can track a FTP services exfiltrating data away from your system using the Distributed Cloud AIP FIM monitoring service.

Create a FIM rule to monitor a sensitive file or directory. After you create a FIM rule, if a FTP service copies a file to a remote system, an event triggers in Distributed Cloud AIP and you receive an alert stating the file was opened by the service.

How Do I Whitelist a Particular User in FTP?

To whitelist a particular user, you have to add a suppression to the rule they currently trigger.

Note

Distributed Cloud AIP stores rules on the host, not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.

  1. On the Alerts page, click the Suppress button.


    suppress-button.png

  2. On the Add New Host Rule Suppression dialog, specify the user to suppress.


    B_2_suppression.png

  3. Click the Add New Suppression button.


    B_3_add_new_button.png

You added a suppression to a ruleset. Going forward, Skyler will not trigger an alert related to this rule.

For more information on Suppressions, see Suppress an Alert.

How Do I Monitor Other Folders For Invalid Users?

To monitor other folders for invalid users:

  1. Create a rule to monitor changes in all home directories.
  2. Create suppressions for each user for their own home directory.

For more information, see Create a File Integrity Monitoring Rule and Add a User-Specific Suppression.

Was this article helpful?
0 out of 0 found this helpful

Table of Contents

Related articles