FAQ about File Transfer Protocol & FIM


This page includes frequently asked questions Threat Stack has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).

How Do I Use FIM To Monitor a FTP?

You can track a FTP services exfiltrating data away from your system using the Threat Stack FIM monitoring service.

Create a FIM rule to monitor a sensitive file or directory.  After you create a FIM rule, if a FTP service copies a file to a remote system an event triggers in Threat Stack and you receive an alert stating the file was opened by the service.

How Do I Whitelist a Particular User in FTP?

To whitelist a particular user, you have to add a suppression to the rule they currently trigger.


Threat Stack stores rules on the host and not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.

  1. On the Alerts page, click the Suppression button.


  2. On the Add New Host Rule Suppression dialog, specify the user to suppress.


  3. Click the Add New Suppression button.


You added a suppression to a ruleset. Going forward, Skyler will not trigger an alert related to this rule.

For more information on Suppressions, see the How do I Suppress Alerts? article.

How Do I Monitor Other Folders For Invalid Users?

To monitor other folders for invalid users:

  1. Create a rule to monitor changes in all home directories.
  2. Create suppressions for each user for their own home directory.

See the How to Monitor other Folders for Invalid Users article for the full instruction set.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request