File Integrity Monitoring Release 4.7

June 11, 2025

Onboard to File Integrity Monitoring in a Few Steps

FIM now provides an easy, end-to-end onboarding experience designed to help new customers quickly set up and start using File Integrity Monitoring with minimal effort. The process guides through each step, from choosing a framework to setting up notifications, ensuring that new customers can configure File Integrity Monitoring with minimal assistance.

This enhanced onboarding experience is applicable to new customers only.

To begin the onboarding process, click Start Onboarding from the FIM home page and follow the subsequent steps.

For detailed information about the onboarding process, refer to Onboard to FIM in Few Steps in the FIM Online Help.

Once the onboarding is complete, you will start receiving real-time events and alerts.

Visibility into FIMC Failures for Linux Assets

When the Qualys agent returns a FIMC Stopped failure status to FIM, FIM performs prerequisite checks to identify the reason for the FIMC Stopped failure. If any prerequisite check fails, the agent cannot monitor files or generate events.

A new column Failure Reasons is added to display the FIMC Stopped failure reasons in the Real Time Assets tab.

You can click view details to view the complete list of Pass and Fail statuses of the prerequisite checks, along with recommended remediation action.

Save Search Query Enhancements

You can now save search queries with a customized name, save search queries as favorites, and share the saved queries with other users.

To access these enhancements, click > Save this Search Query.

In the Save Search Query window, you can:

Enter a Name for the query.
Select Mark As Favourite to mark the query as a favorite for quicker access.
Select Share with users to make the query visible to all users.

For more information on search queries, refer to File integrity Monitoring Online Help.

Qualys Data Retention Policy now Applicable to FIM Incidents

To comply with the Qualys data retention policy, the incidents created within the last 15 months from the current date are maintained in the system. If you attempt to search for incidents created more than 15 months ago, no incidents are displayed as they are purged from the records.

For example:
If today is May 29, 2025, you can view incidents created after February 29, 2024. Incidents created before February 29, 2024 are purged from the system.

API Support:
We have extended support of the Qualys data retention policy to FIM APIs. For more information, refer to the File Integrity Monitoring Release 4.7 API.

File Naming Convention for Events

We have updated the file naming convention for Scan Based events to identify baseline events received from assets. From now on, when a new baseline event is received, the file name of the event is appended with the word Baseline.

Enhancements in Inclusion and Exclusion Filters

We have improved the UI for inclusion and exclusion filters to display the logical operators (AND and OR). This helps you understand how the filters work together.

This enhancement applies in the following scenarios:

Profile Exclusion Filters in FIM Profiles
When configuring profile exclusion filters within a File Integrity Monitoring profile, the logical operation between the User and Process filters is AND.
This means that events are excluded only when the specified users run the specified processes. For example, if Windows\User A and Process B are added as exclusion filters, the event is not generated only when User A runs Process B.

The following image shows how the AND operator is used to connect Users and Processes.
Inclusion and Exclusion Filters in Rules
When configuring inclusion or exclusion filters in a rule, the logical operation between multiple filters is OR. This means that when multiple filters are provided, only one filter is used in the rule.
For example, Filter 1 is set to exclude events for Windows\User A when they are running Process B.exe, and Filter 2 is set to include events for Windows\User B when they are running Process C.exe. Since the OR operator is used, the system checks both filters. If either one of them is satisfied, the corresponding event is included or excluded from monitoring based on the filter.

The following image displays how the OR operator is used between filters.

Support for Agentless FIM on Additional Network Devices

We have extended support for Agentless FIM on additional network devices. This update enables you to monitor changes on these newly-supported devices without the need to install an agent.

Refer to the following table for the newly-supported network devices, along with their corresponding QIDs:

Network Devices	Supported QIDs
F5 BIG-IP 11.x	45664
F5 BIG-IP 12.x	45664
F5 BIG-IP 13.x	45664
F5 BIG-IP 14.x	45664
F5 BIG-IP 15.x	45664
F5 BIG-IP 16.x	45664
F5 BIG-IP 17.x	45664
ArubaOS 8	45665
ArubaOS 10	45665
Cisco ISE 3.x	45662

For more information, refer to File integrity Monitoring Online Help.

Updated Widget Names for Asset List Filter Cards

The widget names on the FIM dashboard for asset list filter cards are updated as follows:

Old Widget Name	Updated Widget Name
Non Compliant FIM Assets	Non compliant (Non communicating) Assets
Non Communicating Assets	Non compliant (Bad Agent Health Status) Assets

Issues Addressed

The following reported and notable issues are fixed in this release.

Category/Component Description

FIM Incidents API We fixed an issue where the Get Event Count for an Incident API did not return the expected response.

FIM AIX Assets We fixed an issue where AIX assets were incorrectly listed under Bad Agent Health Status on the Real Time Assets tab.

FIM Alerting We fixed an issue where the email alert displayed the incorrect/different reviewer's name even when a different user reviewed and closed the incident.

FIM Real Time Assets We fixed the issue where asset tags were not visible in the Tags column of the Real Time Assets tab.

FIM Scan-based Events We fixed the issue where scan-based events were incorrectly categorized under source type agent when searched using the eventSource token on the All Events and Event Review tabs.

FIM Report Schedule We fixed the issue where scheduled reports unexpectedly reset to Run Now.

FIM Alerting We fixed the issue that caused delays in receiving email notifications for alerts.

Category/Component	Description
FIM Incidents API	We fixed an issue where the Get Event Count for an Incident API did not return the expected response.
FIM AIX Assets	We fixed an issue where AIX assets were incorrectly listed under Bad Agent Health Status on the Real Time Assets tab.
FIM Alerting	We fixed an issue where the email alert displayed the incorrect/different reviewer's name even when a different user reviewed and closed the incident.
FIM Real Time Assets	We fixed the issue where asset tags were not visible in the Tags column of the Real Time Assets tab.
FIM Scan-based Events	We fixed the issue where scan-based events were incorrectly categorized under source type agent when searched using the `eventSource` token on the All Events and Event Review tabs.
FIM Report Schedule	We fixed the issue where scheduled reports unexpectedly reset to Run Now.
FIM Alerting	We fixed the issue that caused delays in receiving email notifications for alerts.