File Integrity Monitoring Release 4.8

July 28, 2025

Database Monitoring with FIM

File Integrity Monitoring (FIM) can now monitor and detect changes to your databases. Any changes detected on your databases are logged as events and displayed under the Events > Scan Based tab. These events are displayed with the Host Type as Database.

With File Integrity Monitoring on databases, you can:

  • Monitor changes to your database, such as updates to structure, settings, or access.
  • Maintain compliance with standards like PCI DSS, HIPAA, and GDPR.
  • Detect and respond to unauthorized or suspicious changes to strengthen security.

This feature requires the Qualys Custom Assessment and Remediation (CAR) subscription with version 2.5.2.0 and higher.

This feature works in conjunction with the CAR module. You must create and configure a parameterized script to monitor your database for changes. When executed, the script securely accesses your database, detects any changes, and logs the results as events under FIM > Events > Scan Based.

For more information on database monitoring, refer to the File Integrity Monitoring Online Help.

Enhanced FIM Events Report with Incident Information

File Integrity Monitoring event reports now display incident details related to events. The events report generated through the report rule now includes two additional columns: Incident Name and Incident Status.

Refer to the image below, which shows the new columns displaying the details of the incident.

When setting up a report rule, you can enable this feature by selecting the new Include Incident Name and Incident Status in report checkbox.

  • This Include Incident Name and Incident Status in report checkbox is available only when creating a report rule for events.
  • If this checkbox is not selected, no incident data is captured, and the new Incident Name and Incident Status columns remain empty.

If the Incident Status still appears OPEN in the report after you have closed the incident, it may take some time for the update to reflect. Generate the report again after one hour to view the updated information. 

New QQL Tokens

The following table provides the new QQL tokens added in this release:

Token Tab Description
event.hostType: All Events > Scan Based Use this token to search events using the host type.

Token values are: network_device and database

script.name: All Events > Scan Based Use the script name to find database events.

Issue Addressed

The following reported and notable issue is fixed in this release:

Category/Component Description
File Integrity Monitoring Incidents We fixed an issue where the correlation rule failed to create incidents for some events due to system processing delays.