This page includes frequently asked questions F5 Distributed Cloud App Infrastructure Protection (AIP) has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).
You can track a FTP services exfiltrating data away from your system using the Distributed Cloud AIP FIM monitoring service.
Create a FIM rule to monitor a sensitive file or directory. After you create a FIM rule, if a FTP service copies a file to a remote system, an event triggers in Distributed Cloud AIP and you receive an alert stating the file was opened by the service.
To whitelist a particular user, you have to add a suppression to the rule they currently trigger.
Distributed Cloud AIP stores rules on the host, not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.
- On the Alerts page, click the Suppress button.
- On the Add New Host Rule Suppression dialog, specify the user to suppress.
- Click the Add New Suppression button.
You added a suppression to a ruleset. Going forward, Skyler will not trigger an alert related to this rule.
For more information on Suppressions, see Suppress an Alert.
To monitor other folders for invalid users:
- Create a rule to monitor changes in all home directories.
- Create suppressions for each user for their own home directory.
For more information, see Create a File Integrity Monitoring Rule and Add a User-Specific Suppression.