...
Info | ||
---|---|---|
| ||
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG) |
...
Code Block | ||||
---|---|---|---|---|
| ||||
root-virtual-machine FIMLog 1 2019-10-02 16:43:00 SHA-512 NEW FILE /home/test/Documents/test.txt 0 root 2019-10-02T07:12:53
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 33188 0 0 EventSourceId=Ab12 |
Code Block | ||||
---|---|---|---|---|
| ||||
root-virtual-machine FIMLog 1 2019-10-02 16:45:00 SHA-512 DELETE FILE /home/test/Documents/test.txt 0 root 2019-10-02T07:12:53
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 33188 /home/test/Documents
/test.txt 0 root 2019-10-02T07:12:53
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 33188 EventSourceId=Ab12 |
Below is a table describing the contents of a FIM Event generated by Snare Agent.
Field | Type | Description |
---|---|---|
Hostname | String | The host name of the originating computer. |
EventType | String | FIMLog - the type of event generated. |
SecurityLevel | Integer | The severity level (Criticality) of the generated event. |
EventTime | Datetime | The time at which the modification was detected. (YYYY-MM-DDThh:mm:ss) |
DigestType | String | SHA512 - the hashing algorithm used. |
EventAction | String | One of CHANGE, DELETE, RENAME or NEW. |
ObjectType | String | FILE |
ObjectName | String | The full path name of the object that has been added, removed, changed or renamed. |
ObjectSize | Integer | The size of the object in bytes after the modification. |
ObjectOwner | String | The owner of the object that the change was detected on. |
ObjectMTime | Datetime | The modification time (mtime) of the object when the change is detected. (YYYY-MM-DDThh:mm:ss) |
ObjectDigest | String | The calculated digest (checksum) value. |
ObjectAttributes | Integer | The attributes of the object as a bit-wise integer value. |
PrevObjectName | String | The name of the object that had been added, removed, changed or renamed from the previous scan or empty if no previous object exists. |
PrevObjectSize | Integer | The size of the object in bytes from the previous scan. 0 if no previous object exists. |
PrevObjectOwner | String | The owner of the object from the previous scan. Empty string if no previous object exists. |
PrevObjectMTime | Datetime | The modification time (mtime) of the object from the previous scan or empty if no previous object exists. (YYYY-MM-DDThh:mm:ss) |
PrevObjectDigest | String | The calculated digest (checksum) value from the previous scan. Empty string if no previous object exists. |
PrevObjectAttributes | Integer | The attributes of the object from the previous scan as bit-wise integer value. 0 if no previous object exists. |
EventSourceId | String | Additional data to be included in each event as specified in Event Options settings of the Agent |
Please refer to The Web User Interface (UI) → File Integrity Monitoring page in this User Guide for instructions on how to configure periodic FIM scans in the Snare Agent.
...