Skip to main content

Overview

File Integrity Monitoring (FIM) is a critical security capability that tracks changes to files and directories across your infrastructure. The module generates alerts related to file modifications, including changes to permissions, content, ownership, and attributes, helping you detect unauthorized access and maintain system integrity.

Key Features

Comprehensive File Change Detection

FIM monitors multiple aspects of file changes:
  • Content Modifications: Detect when file contents are modified
  • Permission Changes: Track changes to file permissions and access controls
  • Ownership Changes: Monitor modifications to file ownership
  • Attribute Changes: Detect changes to file attributes and metadata
  • File Creation/Deletion: Track when files are created or deleted

Real-time Monitoring

  • Immediate Alerts: Receive alerts as file changes occur
  • Who-Data: Capture information about who made the changes (user, process)
  • Change Correlation: Correlate file changes across your infrastructure

Interactive Dashboards

FIM provides dedicated dashboards for file integrity analysis:
  • Overview Dashboard: System-wide view of file changes (Dashboard ID: fim-overview-dashboard)
  • Agent Dashboard: File changes for specific agents (Dashboard ID: fim-pinned-agent-dashboard)
  • Visual Analytics: Charts and graphs showing file change trends

Event Data Structure

FIM events include the following key fields:
FieldDescription
timestampWhen the file change occurred
wazuh.agent.idID of the agent that detected the change
wazuh.agent.nameName of the monitoring agent
file.pathFull path to the modified file
event.typeType of event (creation, modification, deletion)
event.actionSpecific action performed
file.inodeFile system inode number

Data Sources

FIM utilizes multiple index patterns for comprehensive file monitoring:

Events Data

  • Pattern: wazuh-events*
  • Type: Real-time file change events

States Data

  • Files Pattern: wazuh-states-fim-files*
  • Registry Keys Pattern: wazuh-states-fim-registry-keys* (Windows)
  • Registry Values Pattern: wazuh-states-fim-registry-values* (Windows)

Inventory View

The FIM inventory provides a comprehensive view of monitored files:

File Inventory

Access detailed information about all monitored files:
  • Current state of monitored files
  • File checksums (MD5, SHA1, SHA256)
  • Permission details
  • Ownership information
  • Last modification time
Component: InventoryFIMFiles
Location: /plugins/main/public/components/overview/fim/inventory/

Windows Registry Monitoring

For Windows systems, FIM also monitors registry changes:
  • Registry key creation/deletion
  • Registry value modifications
  • Permission changes on registry keys

Configuration

Monitored Directories

Configure which directories and files to monitor: 
<syscheck>
  <directories>/etc,/usr/bin,/usr/sbin</directories>
  <directories>/home</directories>
</syscheck>

Monitoring Options

Customize monitoring behavior:
  • Real-time Monitoring: Enable immediate detection of changes
  • Who-data: Capture process and user information
  • Recursion Limits: Control directory depth for monitoring
  • File Ignore Rules: Exclude specific files or patterns

Use Cases

Security Incident Detection

Detect unauthorized file modifications:
  1. Monitor critical system files and directories
  2. Set up alerts for changes to configuration files
  3. Investigate suspicious file modifications
  4. Correlate file changes with other security events

Compliance Requirements

Meet regulatory compliance standards:
  • PCI DSS 11.5: Monitor critical files for unauthorized changes
  • HIPAA: Track access to files containing sensitive health information
  • SOX: Monitor changes to financial system files
  • GDPR: Track access to files containing personal data

Change Management

Support IT change management processes:
  • Verify authorized changes were made correctly
  • Detect unauthorized or undocumented changes
  • Audit system configuration changes
  • Track application deployment changes

Malware Detection

Identify malware through file system changes:
  • Detect creation of malicious files
  • Monitor modifications to system binaries
  • Identify ransomware encryption activities
  • Track suspicious file permission changes

Integration with Other Modules

FIM integrates with several other security modules:
  • Threat Hunting: Correlate file changes with security alerts
  • Malware Detection: Identify malware-related file modifications
  • Configuration Assessment: Verify file configurations against baselines
  • System Auditing: Link file changes to user actions

Best Practices

  1. Monitor Critical Paths: Focus on system directories, configuration files, and application binaries
  2. Enable Who-data: Capture user and process information for better forensics
  3. Use Exclusions Wisely: Exclude high-churn directories to reduce noise
  4. Regular Baseline Updates: Update file baselines after authorized changes
  5. Set Appropriate Alert Thresholds: Balance between detection and alert fatigue
  6. Integrate with SIEM: Forward FIM events to your SIEM for correlation
  7. Test Monitoring: Regularly verify FIM is detecting changes as expected

Performance Considerations

  • Scan Scheduling: Configure periodic scans during off-peak hours
  • Real-time vs Scheduled: Balance between immediate detection and system impact
  • Database Optimization: Regularly maintain the FIM database
  • Filter Noise: Exclude temporary files and frequently changing logs

Component Architecture

The FIM module is built using the following components: 
// Dashboard component
DashboardFIM
  DataSource: FIMDataSource
  Repository: EventsDataSourceRepository
  Dashboard ID: fim-overview-dashboard
  Agent Dashboard ID: fim-pinned-agent-dashboard

// Inventory component
InventoryFIMFiles
  DataSource: FIMFilesStatesDataSource
  Repository: FIMFilesStatesDataSourceRepository
  Inventory ID: fim-files-inventory
Location in codebase: /plugins/main/public/components/overview/fim/

Sample Data

The module supports sample data for testing and demonstration:
  • Category: File Integrity Monitoring
  • Sample Pattern: wazuh-states-fim*