Documentation Center
AlienVault® USM Anywhere™

File Integrity Monitoring

File integrity monitoring (FIM) is a mechanism for validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. It is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.

AlienVault Agents

The AlienVault Agent is a lightweight endpoint agent based on osquery, the leading open-source operating system instrumentation framework for Windows and Linux. It enables endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.

This agent is simple and fast to install on Windows and Linux hosts and endpoints and has a small footprint. An installed Agent provides continuous endpoint security monitoring, allowing USM Anywhere to quickly detect threats on your essential assets without the time-consuming manual configuration and setup tasks required to implement and integrate a third-party tool.

When you install the AlienVault Agent on a host system that is associated with an assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers., the Asset Details page includes a File Integrity tab where you can view statistics for FIM eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. on the asset.

View FIM overview information for an asset with a deployed Agent

On the AlienVault Agents dashboard, you can also view FIM information collected from all deployed agents

For more information about the AlienVault Agent and installing agents on your Linux and Windows assets, see The AlienVault Agent.

Manual FIM Configuration for Linux

For Linux systems that do not have the AlienVault Agent installed, you can enable FIM within USM Anywhere by configuring the osquery agent to monitor and track file changes on those systems. The osquery configuration file (typically named osquery.conf) contains the configuration options and queries that osquery uses when it runs. AlienVault provides a default configuration file that you can use to enable FIM for Linux systems in your USM Anywhere environment to identify system and software file changes and forward this information to the USM Anywhere Sensor.

For more information about installing and configuring osquery on your Linux systems, see Collecting Logs from Linux Using osquery.

Manual FIM Configuration for Windows

For Windows systems that do not have the AlienVault Agent installed, you can use FIM to identify changes in system files, folders, and Microsoft Windows registries. To use FIM, you configure Windows systems so that USM Anywhere can view Windows audit object access events. To do so, you need to enable file auditing and update security policy settings. After applying policy changes to include audit object events in Windows security logs, NXLog will forward those events to the USM Anywhere Sensor.

See Collecting Windows System Logs for detailed information about using NXLog to forward these events.