Configure FIM Profile

FIM detects integrity violations across global IT systems in real-time. File, directory, and windows registry changes are monitored by creating rules as part of a FIM monitoring profile.

Before creating a profile, analyze your environment. Identify the areas of information that may be lucrative for an attacker, so that you know where you need to concentrate.

A well-thought out plan is vital to the success of your file monitoring practices. Key factors to consider while making such decisions should be:

  • Critical areas for the organization that must be put under continuous monitoring.
  • Type of actions or activities that should be monitored for specific file paths.
  • Highly probable attack surface areas in the environment.

How to Create a FIM Profile?

You can create FIM profile in the following three ways:

  • Import Profile from Library : FIM contains its own library of out-of-the-box monitoring profiles. You can import the required profile from the Library and use it as is or customize it as per your requirement.
  • Create a Profile: You can also create a customized profile from scratch and add the required rules, assets, and tags.
  • Clone a Profile: Using this option, you can copy an existing profile along with its rules. You can then customize it as per your requirement.

Best Practices

Following are the best practices while creating rules in a profile:

  • Avoid monitoring everything inside a folder or folders under it. Using Inclusion or Exclusion filters reduces the false positives to a good extent.
  • Avoid selecting All event actions to be monitored. Instead select only what’s required in order to curb noise issues.
  • Log files serve as digital footprints and are critical. But if such files are monitored for content changes, then it overwhelms the platform with events as log files are written on a continuous basis. Hence, log files should be monitored for Security modifications and deletions.
  • Keep the monitoring rule simple. Making the rule unnecessarily complex leads to ambiguity. For example, it’s better to exclude the whole directory instead of writing 50 file type exclusions.
  •  The depth of the folder to be monitored should be kept at a maximum of 3 unless otherwise required. This not only optimizes the scan time but also reduces the CPU load and agent processing.