This page includes frequently asked questions Threat Stack has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).
You can track a FTP services exfiltrating data away from your system using the Threat Stack FIM monitoring service.
Create a FIM rule to monitor a sensitive file or directory. After you create a FIM rule, if a FTP service copies a file to a remote system an event triggers in Threat Stack and you receive an alert stating the file was opened by the service.
To whitelist a particular user, you have to add a suppression to the rule they currently trigger.
Threat Stack stores rules on the host and not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.
- On the Alerts page, click the Suppression button.
- On the Add New Host Rule Suppression dialog, specify the user to suppress.
- Click the Add New Suppression button.
You added a suppression to a ruleset. Going forward, Skyler will not trigger an alert related to this rule.
For more information on Suppressions, see the How do I Suppress Alerts? article.
To monitor other folders for invalid users:
- Create a rule to monitor changes in all home directories.
- Create suppressions for each user for their own home directory.
See the How to Monitor other Folders for Invalid Users article for the full instruction set.