File Integrity Monitor (FIM)
FIM provides independent auditing of access to and modification of files and directories. It is intended for monitoring operating system files and other limited, critical files that, when changed, suggest systems have been compromised. The purpose of FIM is to monitor integrity (not activity) though mechanisms, such independent hash verification, that tend to be resource intensive, which is why FIM has limited use. For example, customers using Windows may want to monitor .exe and .dll files in C:\Windows\System32 and C:\Windows\SysWOW64. FIM is not suitable for use on large directories with thousands of files that are modified frequently. Enabling FIM on directories with tens of GB of data results in poor performance. Customers may want to filter for accounts such as localsystem, network service, and trustedinstaller to prevent FIM from logging normal system behavior and Windows Updates. However, FIM configuration should always be based on your organizational need and auditing requirements.
The recommended file limits for FIM usage are as follows:
- 10 files of 1 Gb each
- 1,000 files of 1Mb each
- 98,990 files of 1 Kb each
LogRhythm and FIM
When FIM detects a change, a System Monitor Agent generates a log and sends it to the Data Processor where you can manage it like any other log. Logs can be forwarded to LogMart and the Platform Manager, can generate alarms, and can be included in reports.
A LogRhythm File Integrity Monitor log message source type is automatically created for each agent on first connection to the Mediator. There are Generic System Log Sources for Windows and *NIX agents, and they are associated with the LogRhythm Default policy which contains all available MPE rules. For information on accessing and modifying the log source type, see Modify a Single Log Source.
A LogRhythm Default policy exists for File Integrity Monitor in the Knowledge Base file. To access the Log Processing Policy and its associated MPE Rules, see Modify Log Processing Policies.
MPE Rules exist for File Integrity Monitor in the MPE Rule Builder. Specific settings can be viewed and modified from within the File Integrity Monitor Log Processing Policy.
File Integrity Monitor logs can be queried using Investigator, monitored in Personal Dashboard and Tail, and restored using LogRhythm’s Archive Restoration tool SecondLook.
Types of File Integrity Monitoring
There are two types of File Integrity Monitoring: Standard (FIM) and Realtime (Realtime FIM). Standard and Realtime FIM are both included with the System Monitor Lite license for desktop operating systems only. Server operating systems require System Monitor Pro or Collector. For more information about specific operating system support, see the Realtime File Integrity Monitor (FIM) Support by Operating System topic in the LogRhythm Compatibility and System Monitor Functionality Guide.
| Standard FIM | Realtime FIM | |
|---|---|---|
| Monitors files and directories | X | X |
| Scans at configured intervals | X | |
| Monitors in realtime (event-driven) | X | |
| Identifies Process and User | X | |
| Identifies additional changes in permissions types | ||
| X | |
| X | |
Standard FIM
To use standard FIM, you need to:
- Install a System Monitor Lite Agent on a desktop operating system or a System Monitor Pro or Collector Agent on a server operating system
- Create the File Integrity Monitor Policy or Modify the File Integrity Monitor Policy
- Configure the System Monitor Agent Properties
Realtime FIM
Realtime File Integrity Monitoring (Realtime FIM) is an event-driven model that provides real-time accuracy and enables precise user identification. This feature provides exact identification of the process that performed the change, enabling precise identification of the user as well. Standard FIM scans the directories on an interval and then alarms when a change to a file's hash is detected. Depending on how many directories are being monitored, it may even take slightly longer than the configured interval for the Agent to hash all your files and alert you of a change.
To use Realtime FIM, you need to:
- Install a System Monitor Lite Agent on a desktop operating system or a System Monitor Pro or Collector Agent on a server operating system
- Create the File Integrity Monitor Policy or Modify the File Integrity Monitor Policy
- Configure the System Monitor Agent Properties
Realtime FIM cannot monitor files on a network drive using a UNC path.
On recent versions of Windows, the Last Access timestamp may be disabled by default, and it is required to ensure that read events trigger a Realtime FIM event. To check this setting, run fsutil behavior query disablelastaccess in an elevated command prompt. If DisableLastAccess is set to 1, you will need to enable it by running fsutil behavior set disablelastaccess 0 in the same elevated command prompt.
To ensure that Realtime FIM works as expected on Linux and AIX operating systems, please note the following prerequisites.
Linux Realtime FIM
The audit subsystem needs to be enabled for the LogRhythm System Monitor to correctly perform Realtime FIM on Linux. You can query the status of the subsystem by running the following command: auditctl –s
The "e" value indicates if audit is enabled. A value of 1 indicates that audit is enabled, and 0 is disabled.
If needed, you can enable audit by running the following command: auditctl –e 1
Ensure that the audit subsystem is enabled at startup on the system where the System Monitor is running.
RealTimeFIM feature on AgentU uses the system auditd service to collect logs for monitoring. Due to an architectural limitation on Linux, only one instance of auditd can be active. Therefore, if RealTimeFIM is enabled, /var/log/audit/audit.log won't be collected.
AIX Realtime FIM
To ensure proper operation of Realtime FIM on AIX, please note the following:
- libstdc++ 4.8.3 or newer must be installed for the System Monitor to start.
- If needed, modify /etc/security/audit/config to be sure that it contains the following:
- classes:
files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create users:
[for every user] = general,filesAfter modifying /etc/security/audit/config, restart the audit service and verify the audit object section has been updated permanently.
- classes:
There can be many entries under the users section, one for each user. If a user entry does not contain the files parameter, file activity by that user cannot be monitored.
FIM Triggers
The modifications that trigger FIM logs depend on the operating system where the host agent is installed. FIM is available on all operating systems supported by the LogRhythm *NIX and Windows System Monitor Agents. Realtime FIM is supported on desktop and server platforms with the appropriate license. The following table provides details.
| Type of Change | Standard FIM | Realtime FIM | ||
|---|---|---|---|---|
| Windows | *NIX | Windows | *NIX1 | |
| Files and Directories | ||||
| X | X | X | |
| X | X | X | X |
| X | X | ||
| X | X | X | X |
| X2 | X | X2 | X |
| Files | ||||
| X | X | X | X |
| X | X | X | X |
1For a full list of Realtime FIM support by Agent operating system, see Realtime File Integrity Monitor (FIM) Support by Operating System.
2On Windows systems, FIM categorizes files sent to the Recycle Bin (for example, by right-clicking the file and clicking Delete) as renamed instead of deleted. If you bypass the recycle bin when deleting a file (for example, press Shift + Delete), FIM logs the DELETE change.
FIM is centrally managed from the LogRhythm Console. The defined monitoring policy can be used by multiple agents; thus, filemon.cfg no longer needs to be edited for each agent host.
Due to limitations in the Windows Cache Manager, reads performed by applications that use Memory-mapped files are not always seen by file system filters such as the one used by Realtime FIM in the Windows System Monitor Agent. Notepad and WordPad are two such applications. Consequently, some reads by these applications, and other applications that use Memory-mapped files, are not reported.
In some cases, Linux realtime FIM reports a large number of events for a single operation. If there is an operation on a very large file, the Linux realtime FIM module may report each read and write as the file is being processed for an operation. The agent may seem to be reporting a large number of events, but the agent is reporting each and every file system access performed by the operation.
The MODIFY events that are reported by Linux realtime FIM indicate content changes to that file. A single application operation (wget, scp, etc) may generate multiple MODIFY events that indicate that Linux is updating the file multiple times.
FIM Event Descriptions
There are four categories of Agent Event(s): Discrete, Cumulative, Multiple Change, and Anomaly. Discrete Events have a one to one correspondence with the RealTime FIM Records which cause them to be generated. Cumulative Events are multiple RealTime FIM Records combined into a single Event. Multiple Change Events are multiple Agent Events generated by a single RealTime FIM Record. Anomaly Events can occur independently of RealTime FIM Records. Multiple Change and Anomaly Events are SubTyped Events.
Discrete Events
Discrete Events have a one to one correspondence with the RealTime FIM Records which cause them to be generated. All Event types that aren’t Cumulative, Multiple Change, or Anomaly Events are Discrete Events.
ADD
An evCreate record for a file that didn’t previously exist will generate a CreateOpEvent which has the Event ID “EVENT=ADD”.
REALTIME FILEMON EVENT=ADD OBJECT=F:\Users\john.doe\AppData\Local\Temp\Bar.tmp USER=DOMAIN\john.doe PROCESS=cmd SIZE=1184 DETAILS=lastaccess=5/20/2011 11:35:07 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/20/2011 11:35:07 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2692
RENAME
An evSetInformation record with the FileInfoClass value of evFileRenameInformation will generate a RenameEvent which has the Event ID “EVENT=RENAME”.
REALTIME FILEMON EVENT=RENAME OBJECT=F:\Users\john.doe\AppData\Local\Temp\Bar.tmp USER=DOMAIN\john.doe PROCESS=cmd SIZE=1184 DETAILS=lastaccess=5/20/2011 11:35:07 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/20/2011 11:35:07 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2692 newname=F:\Users\john.doe\AppData\Local\Temp\Bar.tmp
DELETE
An evClose on a file which has had the delete flag set will result in a test for the existence of the file. If the file no longer exists, a DeleteEvent is generated, which has the Event ID “EVENT=DELETE”.
REALTIME FILEMON EVENT=DELETE OBJECT=F:\Users\john.doe\AppData\Local\Temp\Bar.tmp USER=DOMAIN\john.doe PROCESS=cmd SIZE=1184 DETAILS=lastaccess=5/20/2011 11:35:07 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/20/2011 11:35:07 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2692
DELETE_FAILED
An evClose on a file which has had the delete flag set will result in a test for the existence of the file. If the file still exists, a DeleteFailedEvent is generated, which has the Event ID “EVENT=DELETE_FAILED”.
REALTIME FILEMON EVENT=DELETE_FAILED OBJECT=F:\Users\john.doe\AppData\Local\Temp\Bar.tmp USER=DOMAIN\john.doe PROCESS=cmd SIZE=1184 DETAILS=lastaccess=5/20/2011 11:51:32 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/20/2011 11:51:31 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2692
Cumulative Events
Cumulative Events are multiple RealTime FIM Records combined into a single Event. ReadWriteEvent and its derivatives are currently the only Cumulative Events.
READ
A ReadEvent, derived from ReadWriteEvent, has the Event ID “EVENT=READ”. The first evRead Record following a non-Read Record generates a ReadEvent, but the Event is not forwarded, in order to coalesce any subsequent adjacent evRead Records. Until there is a record that is not evRead, each subsequent record is checked for adjacency with the previous Read Record(s) and coalesced with the previous one(s) by adding the length from the current record to the cumulative length for the pending ReadEvent. A non-Read Record or a Read Record with a non-adjacent location will cause the ReadEvent to be forwarded to the Mediator and processing to resume on the next Record as the initial Record in a new Event.
REALTIME FILEMON EVENT=READ OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp USER=DOMAIN\john.doe PROCESS=System OFFSET=0 LENGTH=1184 SIZE=1184 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=4
MODIFY
A WriteEvent, derived from ReadWriteEvent, has the Event ID “EVENT=MODIFY”. The first evWrite Record following a non-Write Record generates a WriteEvent, but the Event is not forwarded, in order to coalesce any subsequent adjacent evWrite Records. Until there is a record that is not evWrite, each subsequent record is check for adjacency with the previous Write Record(s) and coalesced with the previous one(s) by adding the length from the current record to the cumulative length for the pending WriteEvent. A non-Write Record or a Write Record with a non-adjacent location will cause the WriteEvent to be forwarded to the Mediator and processing to resume on the next Record as the initial Record in a new Event.
REALTIME FILEMON EVENT=MODIFY OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp USER=DOMAIN\john.doe PROCESS=System OFFSET=0 LENGTH=1184 SIZE=1184 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=4 oldsize=1184 hash=(0xbdfa30ad4e5884aa1874c095fae3a28aa35f5156)->(0x8926907a474becf728a8fbdd2258cbb7bd652991)
SubTyped Events
SubTyped Events are multiple Event definitions with a single Event ID. They contain Type and Description fields that other Events do not have.
Multiple Change Events
Multiple Change Events are multiple Events generated by a single RealTime FIM Record. Multiple Change Events have a CHANGESET field that is unique to the RealTime FIM Record that generated them. PermissionsChangeEvent and AttributeChangeEvent and their derivatives are Multiple Change Events. Multiple Change Events are SubTyped Events, with Type and Description fields.
ATTRIB
The Attribute Change Event is a Multiple Change Event due to the fact that multiple Attributes can be changed with a single operation on the File System, which will show up as a single RealTime FIM Record, but it is desirable to have them appear as separate Event messages. An AttributeChangeEvent has the Event ID “EVENT=ATTRIB”. The AttributeChangeEvent is a SubTyped Event. The label for the Type field is “ATTRIB_TYPE”. The label for the Description field is “ATTRIB_DESC”. The supported Attributes are Read-only, Hidden, and System. There are separate events for Set and Clear of each Attribute.
Read-only Attribute Set
A ReadOnlyAttributeSetEvent has the Event ID “EVENT=ATTRIB”. The ATTRIB_TYPE field is 001, and the ATTRIB_DESC field is “Read-only Attribute Set”.
REALTIME FILEMON EVENT=ATTRIB OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ATTRIB_TYPE=001 ATTRIB_DESC=Read-only Attribute Set USER=DOMAIN\john.doe PROCESS= SIZE=51703603 CHANGESET=20110520170707-93019 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 10:34:07 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=1108
Read-only Attribute Clear
A ReadOnlyAttributeClearEvent has the Event ID “EVENT=ATTRIB”. The ATTRIB_TYPE field is 002, and the ATTRIB_DESC field is “Read-only Attribute Clear”.
REALTIME FILEMON EVENT=ATTRIB OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ATTRIB_TYPE=002 ATTRIB_DESC=Read-only Attribute Clear USER=DOMAIN\john.doe PROCESS= SIZE=51703603 CHANGESET=20110520170707-93259 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 10:34:07 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=796
Hidden Attribute Set
A HiddenAttributeSetEvent has the Event ID “EVENT=ATTRIB”. The ATTRIB_TYPE field is 003, and the ATTRIB_DESC field is “Hidden Attribute Set”.
REALTIME FILEMON EVENT=ATTRIB OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ATTRIB_TYPE=003 ATTRIB_DESC=Hidden Attribute Set USER=DOMAIN\john.doe PROCESS= SIZE=51703603 CHANGESET=20110520170707-93019 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 10:34:07 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=1108
Hidden Attribute Clear
A HiddenAttributeClearEvent has the Event ID “EVENT=ATTRIB”. The ATTRIB_TYPE field is 004, and the ATTRIB_DESC field is “Hidden Attribute Clear”.
REALTIME FILEMON EVENT=ATTRIB OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ATTRIB_TYPE=004 ATTRIB_DESC=Hidden Attribute Clear USER=DOMAIN\john.doe PROCESS= SIZE=51703603 CHANGESET=20110520170707-93259 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 10:34:07 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=796
System Attribute Set
A SystemAttributeSetEvent has the Event ID “EVENT=ATTRIB”. The ATTRIB_TYPE field is 005, and the ATTRIB_DESC field is “System Attribute Set”.
REALTIME FILEMON EVENT=ATTRIB OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ATTRIB_TYPE=005 ATTRIB_DESC=System Attribute Set USER=DOMAIN\john.doe PROCESS= SIZE=51703603 CHANGESET=20110520170707-93019 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 10:34:07 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=1108
System Attribute Clear
A SystemAttributeClearEvent has the Event ID “EVENT=ATTRIB”. The ATTRIB_TYPE field is 006, and the ATTRIB_DESC field is “System Attribute Clear”.
REALTIME FILEMON EVENT=ATTRIB OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ATTRIB_TYPE=006 ATTRIB_DESC=System Attribute Clear USER=DOMAIN\john.doe PROCESS= SIZE=51703603 CHANGESET=20110520170707-93259 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 10:34:07 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=796
PERMISSIONS
The Permission Change Event is a Multiple Change Event due to the fact that multiple Permissions can be changed with a single operation on the File System, which will show up as a single RealTime FIM Record, but it is desirable to have them appear as separate Event messages. A PermissionChangeEvent has the Event ID “EVENT=PERMS”. The PermissionChangeEvent is a SubTyped Event. The label for the Type field is “PERMS_TYPE”. The label for the Description field is “PERMS_DESC”. The supported Permissions are Owner, Group, Discretionary ACL, and System ACL. There is a single Event for each Permission type.
Owner changed
An OwnerChangeEvent has the Event ID “EVENT=PERMS”. The PERMS_TYPE field is 001, and the PERMS_DESC field is “Owner changed”.
REALTIME FILEMON EVENT=PERMS OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp PERMS_TYPE=001 PERMS_DESC=Owner changed USER=DOMAIN\john.doe PROCESS=explorer SIZE=1184 OWNER=()->(DOMAIN\john.doe) CHANGESET=20110520171237-167336 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2640
Group changed
A GroupChangeEvent has the Event ID “EVENT=PERMS”. The PERMS_TYPE field is 002, and the PERMS_DESC field is “Group changed”.
REALTIME FILEMON EVENT=PERMS OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp PERMS_TYPE=002 PERMS_DESC=Group changed USER=DOMAIN\john.doe PROCESS=explorer SIZE=1184 GROUP=()->(DOMAIN\Domain Users) CHANGESET=20110520171237-167336 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2640
Discretionary ACL changed
A GroupChangeEvent has the Event ID “EVENT=PERMS”. The PERMS_TYPE field is 002, and the PERMS_DESC field is “Group changed”.
REALTIME FILEMON EVENT=PERMS OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp PERMS_TYPE=002 PERMS_DESC=Group changed USER=DOMAIN\john.doe PROCESS=explorer SIZE=1184 GROUP=()->(DOMAIN\Domain Users) CHANGESET=20110520171237-167336 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2640
Discretionary ACL changed
A DaclChangeEvent has the Event ID “EVENT=PERMS”. The PERMS_TYPE field is 003, and the PERMS_DESC field is “Discretionary ACL changed”.
REALTIME FILEMON EVENT=PERMS OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp PERMS_TYPE=003 PERMS_DESC=Discretionary ACL changed USER=DOMAIN\john.doe PROCESS=explorer SIZE=1184 CHANGESET=20110520171237-167336 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2640
System ACL changed
A SaclChangeEvent has the Event ID “EVENT=PERMISSIONS”. The PERMS_TYPE field is 004, and the PERMS_DESC field is “System ACL changed”.
REALTIME FILEMON EVENT=PERMS OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp PERMS_TYPE=004 PERMS_DESC=System ACL changed USER=DOMAIN\john.doe PROCESS=explorer SIZE=1184 CHANGESET=20110520171237-167336 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=2640
Anomaly Events
Anomaly Events can be generated independently of any RealTime FIM Records, or in conjunction with one or more Records. The AnomalyEvent has the Event ID “EVENT=ANOMALY”. Anomaly Events are SubTyped Events. The label for the Type field is “ANOMALY_TYPE”. The label for the Description field is “ANOMALY_DESC”. The supported Anomaly types are Hash Equal and Missed Modify Anomalies.
Modification observed with unchanged hash file
A HashEqualAnomalyEvent has the Event ID “EVENT=ANOMALY”. The ANOMALY_TYPE is 001. The ANOMALY_DESC is “Modification observed with unchanged file hash”.
REALTIME FILEMON EVENT=ANOMALY OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ANOMALY_TYPE=001 ANOMALY_DESC=Modification observed with unchanged file hash USER=DOMAIN\john.doe PROCESS=System SIZE=1184 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 11:08:09 AM -0600 create=5/19/2011 11:51:27 AM -0600 usersid=S-1-5-21-1760952874-2610146993-1928205901-4870 pid=4 hash=0x8926907a474becf728a8fbdd2258cbb7bd652991
No MODIFY observed with changed file hash
A MissedModifyAnomalyEvent has the Event ID “EVENT=ANOMALY”. The ANOMALY_TYPE is 002. The ANOMALY_DESC is “No MODIFY observed with changed file hash”.
REALTIME FILEMON EVENT=ANOMALY OBJECT=F:\Users\john.doe\AppData\Local\Temp\Foo.tmp ANOMALY_TYPE=002 ANOMALY_DESC=No MODIFY observed with changed file hash SIZE=1025 DETAILS=lastaccess=5/19/2011 11:51:27 AM -0600 lastwrite=5/20/2011 12:56:54 PM -0600 create=5/19/2011 11:51:27 AM -0600 oldsize=1024 hash=(0xf462535686c7922fed4df8d5fbd7ea8e8b848b68)->(0xb53f12025175614596948646fa7782dcfbeb67f5)
Discretionary Access Control List (ACL) Changes
When file or folder permissions are added, modified, or deleted, Realtime FIM logs the following details:
- Origin Logon. The account ID of the user who made the change.
- Change Made. The type of access that was granted (for example, read, write, full, etc.).
- Affected File or Folder. The file or folder upon which permissions were changed (for example, C:\users\john.doe\file.tmp).
- User or Group Granted Access. The user ID or user group that was granted access.
Within the Realtime FIM logs, associated permissions are comma-delimited, a separate log is generated for each account impacted by the change, and each log contains a RESULT field that describes the file permissions resulting from the change. The following examples illustrate how Realtime FIM logs added, deleted, or changed permissions.
Add Permissions
REALTIME FILEMON EVENT=PERMS OBJECT=C:\windows\regedit.exe PERMS_TYPE=003 PERMS_DESC=Discretionary ACL changed USER=domain\user.one PROCESS=DllHost.exe SIZE=7 CHANGESET=20161130175122-3555943 DETAILS=lastaccess=11/30/2016 8:08:21 AM -0800 lastwrite=1/22/2016 2:25:47 PM -0800 create=11/30/2016 8:08:21 AM -0800 usersid=S-1-5-21-1760952874-2610146993-1928205901-12996 pid=2955764 Policy=User1 c:\windows COMMAND=ADD domain\user.two AccessAllowed Write, ReadAndExecute, Synchronize RESULT=BUILTIN\Users AccessAllowed Write, ReadAndExecute, Synchronize;domain\user.two AccessAllowed Write, ReadAndExecute, Synchronize;NT AUTHORITY\SYSTEM AccessAllowed FullControl;BUILTIN\Administrators AccessAllowed FullControl;BUILTIN\Users AccessAllowed ReadAndExecute, Synchronize;APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES AccessAllowed ReadAndExecute, Synchronize
Modify Permissions
REALTIME FILEMON EVENT=PERMS OBJECT=C:\windows\regedit.exe PERMS_TYPE=003 PERMS_DESC=Discretionary ACL changed USER=domain\user.one PROCESS=DllHost.exe SIZE=7 CHANGESET=20161130175145-3872518 DETAILS=lastaccess=11/30/2016 8:08:21 AM -0800 lastwrite=1/22/2016 2:25:47 PM -0800 create=11/30/2016 8:08:21 AM -0800 usersid=S-1-5-21-1760952874-2610146993-1928205901-12996 pid=2186084 Policy=User1 c:\windows COMMAND=MODIFY domain\user.two AccessAllowed Write, ReadAndExecute, Synchronize -> FullControl RESULT=BUILTIN\Users AccessAllowed Write, ReadAndExecute, Synchronize;domain\user.two AccessAllowed FullControl;NT AUTHORITY\SYSTEM AccessAllowed FullControl;BUILTIN\Administrators AccessAllowed FullControl;BUILTIN\Users AccessAllowed ReadAndExecute, Synchronize;APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES AccessAllowed ReadAndExecute, Synchronize
Delete Permissions
REALTIME FILEMON EVENT=PERMS OBJECT=C:\windows\regedit.exe PERMS_TYPE=003 PERMS_DESC=Discretionary ACL changed USER=domain\user.one PROCESS=DllHost.exe SIZE=7 CHANGESET=20161130175225-4491589 DETAILS=lastaccess=11/30/2016 8:08:21 AM -0800 lastwrite=1/22/2016 2:25:47 PM -0800 create=11/30/2016 8:08:21 AM -0800 usersid=S-1-5-21-1760952874-2610146993-1928205901-12996 pid=1762608 Policy=User1 c:\windows COMMAND=DELETE domain\user.two AccessAllowed RESULT=BUILTIN\Users AccessAllowed Write, ReadAndExecute, Synchronize;NT AUTHORITY\SYSTEM AccessAllowed FullControl;BUILTIN\Administrators AccessAllowed FullControl;BUILTIN\Users AccessAllowed ReadAndExecute, Synchronize;APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES AccessAllowed ReadAndExecute, Synchronize