Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Using the LEM web console and desktop console > File Integrity Monitoring Connectors

File Integrity Monitoring Connectors

Updated March 11th, 2016

 

File Integrity Monitoring (FIM) provides the ability to monitor files of all types for any unauthorized changes that may lead to a data breach by a malicious attack. Using FIM, you can detect changes to critical files, both to ensure systems are free of compromise and to ensure critical data is not being changed by unauthorized modifications of systems, configurations, executables, log and audit files, content files, database files, and web files. If FIM detects a change in a file you are monitoring, it is logged. LEM then takes those logs and performs the configured action. Correlation rules can be built to act as a second-level filter to only actively send an alert to certain patterns of activity (not just single instances), and when an alert is triggered, the data is in context with your network and other system log data With a SIEM like LEM, you can also respond with administrative action.

Features of FIM

  • On Windows (XP, Vista, 7, 8, Server 2003, 2008, 2012), monitors for real-time access and changes to files and registry keys and WHO changed them
  • Allows you to configure the logic of files/directories and registry keys/values to monitor for different types of access (create, write, delete, change permissions/metadata)
  • Provides the ability to standardize configurations across many systems
  • Provides monitoring templates which can be used to monitor the basics. Also allows the option of creating and customizing your own monitors.
  • Provides templates for rules, filters, and reports to assist in including FIM events quickly

What can FIM detect?

  • Insider abuse by auditing files directly through intelligent correlation rules. Active integration with active directory settings can disable accounts, change user groups and rights.
  • If a critical registry key is changed (if registry is supported). For example, a new service is installed, software is installed, a key gets added to "hide" data in an unexpected area.
  • If a new driver or a similar device is installed. Adds a layer of defense to anti virus software for detecting viruses that mask as "similarly" named files (like ntkernl.sys vs. ntkernI.sys).
  • If critical business files are accessed and who is accessing them. Detects potential abuse, unexpected access, or changes to sensitive data.
  • If files are moved. Usually when users move directories into other directories.
  • Zero-day exploits, which is an attack that takes advantage of security vulnerabilities the same day the vulnerability becomes known. FIM can trigger an alert letting you know there has been a file change by a potential malware or Trojan and can automatically stop the running malware process.
  • Advanced Persistent Threats by inserting a granular, file-based auditing into the existing event stream to pinpoint attacks and help block them in progress.

Adding a FIM connector

To add a FIM connector:

  1. Navigate to Manage > Nodes to see a listing of all the nodes being monitored by LEM.
  2. Select the desired node, then click the gear  icon next to it and select Connectors.
  3. Enter FIM in the Refine Results pane. The search results in FIM Registry and also FIM File and Directory.
  4. Select either a FIM file and Directory or a FIM Registry.

  5. Click the gear  icon next to the FIM Connector profile you want to work with, then select New to create a new connector. The Connector Configuration window displays.
  6. Select a Monitor from the Monitor Templates pane, and then click the gear  icon and select Add to selected monitors. The Monitor Template then moves to the Selected Monitor pane.

  1. Click Save, or click Add Custom Monitor to modify the monitor to your requirements.

Monitors

Monitors allow you to configure rules for which files to watch, and which actions to watch for those files. Different monitoring templates have been provided to use right away, and to assist in creating custom templates or configurations.

Adding Custom Monitors

  1. Click Add Custom Monitor in the Connector Configuration window.
  2. Enter a Monitor Name.
  3. Enter a Description for the monitor.
  4. Click Add New. The Add Condition window displays. See File Integrity Monitoring connectors for more information on how to add conditions to monitors.

Editing Monitors

  1. Select a Monitor from the Selected Monitors pane.

  2. Click the gear  icon and select Edit monitor

Promoting a Monitor to a Template

  1. Select the Monitor to be promoted.
  2. Click the gear  icon and select Promote monitor to template.
  3. Click Yes to promote this monitor to a template. The monitor is now available in the Monitor Templates pane.

Deleting a Monitor

  1. Select the monitor to be deleted.
  2. Click the gear  icon and select Delete.
  3. Click Remove. The monitor is then removed from the Selected Monitors pane.

Adding Conditions

  1. Click Add New in the Conditions window.
  2. Click Browse to select a File and Directory or a Registry key to watch.
  3. Click OK.
  4. Select whether the files are recursive or non-recursive. Refer to the table below for more information.

    Recursive

    The folder selected and all its sub-folders which match the given mask will be monitored for corresponding selected operations.

    Non-recursive Only the files in the selected folders will be monitored.
  5. Enter a Mask. For example, *exe or directory*.
  6. For a FIM File and Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and Other operations. For a FIM Registry, select Create, Read, Write, and Delete for Key and Value operations. For more information on Other, refer to the Microsoft MSDN information - 2.4 File Information Classes (© 2017 Microsoft, available at https://msdn.microsoft.com, obtained on February 8, 2017.).
  7. Click Save.

Editing Conditions

  1. Select the condition to be edited in the Conditions window.
  2. Click Edit.
  3. Click Browse to select a File and Directory or a Registry key to watch.
  4. Click OK.
  5. Select whether the files are recursive or non-recursive. Refer to the table below for more information.
    Recursive

    The folder selected and all its sub-folders which match the given mask will be monitored for corresponding selected operations.

    Non-recursive Only the files in the selected folders will be monitored.
  6. Enter a Mask. For example, *exe or directory*.
  7. For a FIM File/Directory, select Create, Read, Write, and Delete for Directory, File, Permissions, and Other operations. For a FIM Registry, select Create, Read, Write, and Delete for Key and Value operations. For more information on Other, refer to the Microsoft MSDN information - 2.4 File Information Classes (© 2017 Microsoft, available at https://msdn.microsoft.com, obtained on February 8, 2017).
  8. Click Save.

Deleting Conditions

  1. Select the condition to be deleted in the Conditions window.
  2. Click Delete.
  3. Click Remove.

FIM Connector advanced settings

  1. Complete the Advanced Connector Settings form according to the device you're configuring. The following fields/descriptions are common for most connectors:
Log Directory

When you create a new alias for a connector, LEM automatically places a default log file path in the Log Directory field. This path tells the connector where the operating system stores the product’s event log file.

In most cases, you should be able to use the default log file path that is shown for the connector. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed,

To manually change the log file location:

  1. Enter or paste the correct path in the Log Directory field.
  2. Stop the Agent.
  3. Manually update the Agent's spop.conf property
    • com.solarwinds.lem.fim.minifilter.fsLogLocation for a file and directory connector. This appears as %SystemDrive%\\Mylocation\\FileSystem in the config file.
    • com.solarwinds.lem.fim.minifilter.registryLogLocation for a registry connector . This appears as C:\\My other log location\\Registry in the config file.
  4. Restart the Agent.
Log Data Type to Save Select either nDepth, Alert, or Alert, nDepth. To store a copy of the original log data in addition to normalized data, change the Log Data Type to Save to Alert, nDepth. Storage for original log data must also be enabled on the appliance.
nDepth Host If you are using a separate nDepth appliance (other than LEM), type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so.

nDepth Port

If you are using a separate nDepth appliance (other than the SolarWinds LEM), type the port number to which the connector is to send nDepth data. Generally, the default setting is correct. Only change it if you are advised to do so.

Sleep Time

Type or select the time (in seconds) the connector sensor is to wait between event monitoring sessions. The default (and minimum) value for all connectors is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate connectors.

Windows NT-based connectors automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events.

Wrapper Name This is an identification key that the SolarWinds LEM uses to uniquely identify the properties that apply to this particular connector. This is read-only information for SolarWinds reference purposes.
Tool Version This is the release version for this connector. This is read-only information for reference purposes.
Enable Connector Upon Save

When this option is selected, the connector starts when you click Save.

  1. After completing the form, click Sold.
  2. If you did not select the Enable Connector Upon Save option, navigate to the Connectors list and click the gear File:Classic_Support/Security_&_Compliance/01Log_&_Event_Manager_(LEM)/LEMUserGuide_MT/0B0/0M0/Button-Gear(Gray).png button next to the new connector (denoted by an icon in the Status column), and then select Start.
  3. After starting the connector, verify that it is working by checking for events on the Monitor tab.
Last modified
15:59, 8 Feb 2017

Tags

Classifications

Public