This page includes frequently asked questions App Infrastructure Protection (AIP) has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).
You can track a FTP services exfiltrating data away from your system using the AIP FIM monitoring service.
Create a FIM rule to monitor a sensitive file or directory. After you create a FIM rule, if a FTP service copies a file to a remote system, an event triggers in AIP and you receive an alert stating the file was opened by the service.
To whitelist a particular user, you have to add a suppression to the rule they currently trigger.
AIP stores rules on the host, not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.
- On the Alerts page, click the Suppression button.
- On the Add New Host Rule Suppression dialog, specify the user to suppress.
- Click the Add New Suppression button.
You added a suppression to a ruleset. Going forward, Skyler will not trigger an alert related to this rule.
For more information on Suppressions, see How do I Suppress Alerts?.
To monitor other folders for invalid users:
- Create a rule to monitor changes in all home directories.
- Create suppressions for each user for their own home directory.
See How to Monitor other Folders for Invalid Users for full instructions.