FAQ: Why do I see blank fields in my FIM events?

If you see the following blank fields in your FIM events, then you may not be able to receive all of the enriched metadata available for those events:

  • uid
  • auid
  • gid
  • session
  • arguments
  • command
  • pid
  • ppid
  • containerId
  • containerImage
  • containerLabels
  • pod_uid
  • pod_name

As a workaround, you can use a previous version of the enriched FIM metadata.

To switch to the previous version, do the following:

  1. Open the Command Line.
  2. Run one of the following commands:
    • If you use a default distribution implementation, then run this command:
      sudo tsagent config --set enable_legacy_fim true
    • If you use Docker or Kubernetes, then, in the THREATSTACK_CONFIG_ARGS environmental variable, add the following command:
      enable_legacy_fim true
    • If you use a different orchestration tool, then set this variable to true:
      enable_legacy_fim true
  3. Restart the Threat Stack Agent.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request