With FIM, you receive real-time updates about anomalous activities that are detected. These updates (events) are sent with complete granular details such as who-what-when-where, about the changes occurring within the scope of your monitored area. Events can be expected and authorized or unexpected and malicious.
FIM provides one central location for viewing all of the events detected across all of your assets. The Events tab contains capabilities to search for events, group by options, and download the results.
Use tabs in the Events section to quickly identify:
(1) Event Insights: View the rules, profiles, processes, and users that have generated the highest number of events.
(2) All Events: View events detected across all of your assets are listed under this tab.
(3) Event Review: You can take actions such as ignore events or create incidents on the registered events from this tab. Only those events, which are not mapped to an incident are listed on the Event Review tab.
(4) Ignored: Events ignored from the Event Review tab are moved to this tab.
Note: All the date-related events on the cloud agent happen in the UTC zone with respect to the Asset time zone. The actual results in the UI show you the date as per your time zone. In addition, the Generated Report will have Date Time in UTC with respect to the Asset time zone.
Note: To add a folder path for file.fullPath and actor.imagePath QQL, user should avoid using “ \” at the end of the path as it results in invalid QQL while searching.
You can search events based on some criteria using the Qualys Query Language (QQL). For more information on QQL, see Search Tutorial and How to search. These searches can then be saved using the "Save this Search Query" option. For more information, refer to the Search Action topic.
Note: The file.hash QQL token is supported only for PE files on Windows. On Linux, all types of files are supported.
Note: The actor's column in the Events List is not available for the AIS operating system host's events. Instead, you can view 'not applicable' there.
Clicking Event Details in the Quick Actions for an event brings up the Event Details page. This page provides complete information about the FIM event.
Note: The QQLs actor.process, actor.UserID, actor.UserName, actor.imagePath are not supported for FIM assets on AIX, hence no data is fetched for AIX assets if you use these QQLs and the Actor column does not display any data.
Grouping Events by Assets in the All Events tab, brings up maximum of 1000 grouped assets.
You can view the event details with asset name and count of total events for the selected asset.
You can see the file size of the FIM event on the Event Details page.
Note: With Windows agent, you can see the File size of FIM events for Create, Content, and Attribute Action.
However, with Linux agents, you can see the File size of FIM events for Create, Content, and Security Action
On the Event Details page, you can view the success status of the event. The success status is shown as yes when the event is successfully executed and no when the event execution is unsuccessful.
You can group together false-positive events that are of similar nature and add them to the 'Ignored' list.
Go to Events > Event Review and select specific events and choose Ignore Events from the Actions menu. Optionally, choose Ignore All Matching Events to ignore all events that are currently matching your query for the time frame that you've selected. Ignored events are moved to the Ignored list. Note - You may get similar events in the future that will appear in your Events list and you'll want to ignore those too.
Alternatively, click an event to go to the Event Details page. Select Ignore option from the Actions menu.
You can easily restore any ignored event from the Ignored list.
Ignore an event and at the same time modify the monitoring profile rule or rules that triggered the event. Identify the event and then click the event to go to the Event details page. From the Actions menu, choose Ignore and Whitelist. This option is unavailable 1) for events for which incidents are created and 2) events that are created for the rules of the profile that are imported from the profile library and profile rules for which you have set Rule Type as File.
You'll see a list of profiles and rules associated with the event and a new exclude filter for the target directory or file. Feel free to make changes to the exclude filter before saving it. Once you hit Save, we'll add the exclude filter to the selected profile rules. The event will be moved to the Ignored list and new events will not be generated for the excluded directory/file.
Search for events that are generated by the same process, user, filename, path and rule. Drill-down an event and on the Event Details page, click the Actions menu on the top. Select Find similar events and then choose a filter to view events that matches the value of the filter for the selected event.
For example, choose the Process filter to view all the events that are generated by the same process as the current event.
Go to Events > Event Review to see the events that are waiting to be reviewed.
Enter your search query to find related changes that are part of the same incident, and click Create Incident. All events matching your query will be included in the incident. You'll have the opportunity to review the incident and decide if it's valid.
Note: File Integrity Monitoring supports the Cloud Integration Platform Service (CIPS). CIPS pushes data to various cloud interfaces and receives data from FIM.
FIM determines the data in Events that must be sent to CIPS and publishes it.