FIM enables users to know whether a file was published by Trusted Source. Based on the file content hash, Trust status is derived.
Trust status of files can be seen in Events Details page for Events of type Create and Content. The source of Event Enrichment for File Trust Status is Centralized Qualys Threat DB.
Possible values of trust status are : Trusted and Unavailable.
- TRUSTED : Indicates the file is published from a trusted source, for example Microsoft, Oracle etc.
- UNAVAILABLE : Status is not available in Centralized Qualys Threat DB.
Event Filtering is possible using the search tokens.
For Windows, it is applicable for PE files only and for Linux, it is applicable for all types of files.
Go to Events Details page to view the events in detail.