Create a File Integrity Monitoring Rule and Add a User-Specific Suppression

You can create a File Integrity Monitoring (FIM) rule with a specific user suppression to monitor changes in certain folders by unauthorized users. To do so, perform the following actions:

  • Create a rule to monitor changes in all home directories
  • Create suppressions for each user for their own home directory
Create a FIM Rule to Monitor a Folder

You can create a File Integrity Rule to monitor changes to a folder.

  1. Navigate to the Rules tab and select a ruleset from the list.
  2. Click the + New Rule button.


    1.png

    Note

    You can create a rule in any ruleset to suit your organization's needs. In this example, the new rule is added to the Base Rule Set.

  3. The Add Host Rule dialog displays.


    Add_host_rule_dialog.png

  4. Select File Integrity Rule from the list and click Next: Details to proceed.


    File_integrity_rule_selected.png

  5. The Add File Rule dialog displays. You will be able to specify the file rule details.
    1. Severity of alerts: There are three levels of behaviors to indicate the severity of an alert.
      • Severity 1 alerts are the highest elevation of behaviors.
      • Severity 2 alerts are the second highest elevation of behaviors.
      • Severity 3 alerts are the third highest elevation of behaviors.
    2. Rule Name (Required): Indicates the name of the ruleset.
    3. Alert Title (Required): Indicates the name and substitutions (dynamic content) which add context to the alert.
    4. Alert Description: Indicates a brief summary of the alert.
    5. Aggregate Fields: Helps define the uniqueness of an alert. See Rule Aggregation for additional information about aggregate options.
    6. Trigger an alert if an event matching this rule occurs at least: Indicates the frequency for generating an alert. You can specify how often to display an alert within a certain time frame. For additional information, see Life Cycle of an Alert.

    4.png

  6. Complete the fields for Rule Name, Alert Title and Alert Description. Click the Aggregate Fields to display the drop-down menu. Select User from the list.


    5.png

  7. After making your selection, click Next: File Paths.


    6.png

  8. The File Rule Paths pane displays. You can specify file paths to monitor.


    7.png

  9. Specify a File Integrity Path and select the checkbox for Recursive monitoring.


    8.png

    Note

    Enabling recursive monitoring for a specific file path allows F5 Distributed Cloud App Infrastructure Protection (AIP) to monitor changes in that directory and all of its subdirectories.

  10. Click the Events To Monitor field to display the drop-down menu. Select ALL from the list.


    9.png

    Tip

    If you have integrated your Amazon Web Services (AWS) account into Distributed Cloud AIP, the Deployment Options pane appears next. You can specify AWS EC2 tags for this rule and automatically assign the rule to all associated hosts. For additional information, see AWS EC2 Tags.

    However, if you do not see the Deployment interface, then your Distributed Cloud AIP AWS EC2 Agent correlation is not enabled. Follow the steps in Automatically Integrate with AWS using CloudFormation to enable this integration.

  11. After specifying a file path and FIM events to monitor, click Create Rule.


    10.png

  12. The rule creates and it displays on the Rules page.


    11.png

Add a User Specific Suppression to a FIM Rule

Follow these instructions to remove monitoring for users in their own home directory.

  1. Within the Rules tab, click the Suppressions link to display the Suppressions pane.


    12.png

  2. Click the + New Suppression button.


    NewSupBut.png

    The New Suppression section displays.


    NewSupField.png

  3. In the Filter field, specify your suppression filter options.


    AddNewSup.png

  4. Click the Add New Suppression button. The suppression saves to the rule.
Was this article helpful?
0 out of 0 found this helpful