This page includes frequently asked questions Threat Stack has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).
How do I use FIM to monitor a FTP?
You can track a FTP services exfiltrating data away from your system using the Threat Stack FIM monitoring service.
Create a FIM rule to monitor a sensitive file or directory. After you create a FIM rule, if a FTP service copies a file to a remote system an event triggers in Threat Stack and you receive an alert stating the file was opened by the service.
How do I whitelist a particular user in FTP?
To whitelist a particular user, you have to add a suppression to the rule they currently trigger.
NOTE: Threat Stack stores rules on the host and not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.
1. On the Alerts page, click the Suppression button.
2. On the Add New Host Rule Suppression fly-in, enter the user to suppress.
3. Click the Add New Suppression button.
You added a suppression to a rule set. Going forward Skyler will not trigger an alert related to this rule.
For more information on Suppressions, see the How do I Suppress Alerts? article.
How do I monitor other folders for invalid users?
To monitor other folders for invalid users:
- Create a rule to monitor changes in all home directories.
- Create suppressions for each user for their own home directory.
See the How to Monitor other Folders for Invalid Users article for the full instruction set.