File Integrity Monitoring for Windows Overview
Overview
File Integrity Monitoring (FIM) provides visibility into new and changed files. FIM monitors a predefined set of files and directories at a periodic interval to identify new, changed, and malicious files.
You can configure the scan frequency. The default scan interval is once a day. The interval was chosen to balance feature need versus CPU, memory, and disk IO bandwidth cost.
By default, Lacework monitors a set of default paths as well as excludes monitoring a set of default paths. You can override these default paths to scan or ignore specific file paths on your machine.
FIM does not examine file contents or send the file contents to the Lacework platform. It only sends the file metadata and file hash to the Lacework platform.
FIM creates an alert for malicious files by comparing the SHA256 file hash to a list of known, malicious file hashes. You can create custom FIM policies to receive alerts for the files that really matter to your organization. For example, you can clone the following default policies to create custom FIM policies.
The Windows agent captures SHA256 file hash information to detect malicious files. However, the file hash information is not displayed for application alerts in the Lacework Console.
| Policy ID | Alert Generated by Policy | Description |
|---|---|---|
| LW_FIM_33 | Files Changed | Generates alerts for files that are modified in the directories you specified in the policy. |
| LW_FIM_34 | Suspicious Files | Generates alerts if the file hash for a binary matches a SHA256 file hash you specified in the policy. |
For more information about creating custom FIM policies, see the following:
By default, Lacework monitors a default set of directories that you can override using the filepath property in the config.json agent configuration file. In a custom policy, ensure that you specify only the directories that are being monitored. If you specify a directory that is not monitored, alerts will not be generated for files in that directory.
Lacework cannot scan files that are open or locked from sharing by the administrator of the host machine.
View FIM Scan Results
To view the results of the FIM scan, go to Workloads > Hosts > Files in the Lacework Console. For more information, see Files dashboard.
View FIM Scan Alerts
To view FIM alerts, do the following:
- Click Alerts in the Lacework Console.
- Click the Alert Subcategory drop-down list.
- Select File.
- Click Show Results.