File Integrity Monitoring for Windows Overview
File Integrity Monitoring (FIM) provides visibility into new and changed files. FIM monitors a predefined set of files/directories at a periodic interval to identify new, changed, and malicious files.
You can configure the scan frequency. The default scan interval is once a day. The interval was chosen to balance feature need versus CPU, memory, and disk IO bandwidth cost.
By default, Lacework monitors a set of default paths as well as excludes monitoring a set of default paths. You can override these default paths to scan and ignore specific file paths on your machine.
FIM does not examine file contents or send the file contents to the Lacework platform. It only sends the file metadata and file hash to the Lacework platform.
FIM creates an alert for malicious files by comparing the SHA256 file hash to a list of known, malicious file hashes. You can create custom FIM policies to receive alerts for the files that really matter to your organization. For example, you can clone the following default policies to create custom FIM policies.
Policy ID | Alert Generated by Policy | Description |
---|---|---|
LW_FIM_33 | Files Changed | Generates alerts for files that are modified in the directories you specified in the policy. |
LW_FIM_34 | Suspicious Files | Generates alerts if the file hash for a binary matches a SHA256 file hash you specified in the policy. |
For more information about creating custom FIM policies, see the following:
note
By default, Lacework monitors a default set of directories that you can override using the filepath property in the config.json agent configuration file. In a custom policy, ensure that you specify only the directories that are being monitored. If you specify a directory that is not monitored, alerts will not be generated for files in that directory.
note
Lacework will not be able to scan files that are opened or locked from sharing by the administrator on the host machine.