Does Cloud Defender offer FIM (File Integrity Monitoring)?



1 comment

  • Official comment
    Lindsey Stirneman

    The best answer is “no,” there are dedicated FIM products available that can go above and beyond what we can achieve– (Tripwire, OSSEC, Samhain, etc).

    However, we do offer “FIM-esque functionality” via Log Manager. Make sure to note that this solution requires a considerable amount of work from the customer, uptick in log volume (possible pricing tier jump) and is for Windows only.

    When Windows is configured to monitor file/directory activity using the Object Access Auditing functionality it will generate messages for file system activities, like read and write operations. If the customer enables and sends Windows Object Auditing Logs they can create Correlation Policies and Alerts to notify them of file access, modification, deletion. This is done by defining a Correlation Policy that includes:

    • Message Types: Windows Successful Object Access
    • Properties and Fields: Object Name, Host Name, Object Access Mode, and Object Type
    • Correlate by Property or Field Value: Using RegEx to define Host Name, Object Access Mode, etc, is best because you can “cast a wider net” as opposed to defining each file, host, etc, individually.

Please sign in to leave a comment.