Example of the File Integrity Monitoring (FIM) events generated by a Snare Agent for macOS:
Note
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG)
Below is a table describing the contents of a FIM Event generated by Snare Agent.
| Field | Type | Description |
|---|---|---|
| Hostname | String | The host name of the originating computer. |
| EventType | String | FIMLog - the type of event generated. |
SecurityLevel | Integer | The severity level (Criticality) of the generated event. |
| EventTime | Datetime | The time at which the modification was detected. (YYYY-MM-DDThh:mm:ss) |
| DigestType | String | SHA512 - the hashing algorithm used. |
| EventAction | String | One of CHANGE, DELETE, RENAME or NEW. |
| ObjectType | String | One of DIRECTORY, FILE, REG_KEY or REG_VALUE. |
| ObjectName | String | The full path name of the object that has been added, removed, changed or renamed. |
| ObjectSize | Integer | The size of the object in bytes after the modification. For ObjectTypes DIRECTORY and REG_KEY, this value describes the number of children. |
| ObjectOwner | String | The owner of the object that the change was detected on. |
| ObjectMTime | Datetime | The modification time (mtime) of the object when the change is detected. (YYYY-MM-DDThh:mm:ss) |
| ObjectDigest | String | The calculated digest (checksum) value. |
| ObjectAttributes | Integer | The attributes of the object as a bit-wise integer value. |
| PrevObjectName | String | The name of the object that had been added, removed, changed or renamed from the previous scan or empty if no previous object exists. |
| PrevObjectSize | Integer | The size of the object in bytes from the previous scan. For ObjectTypes DIRECTORY and REG_KEY, this value describes the number of children. 0 if no previous object exists. |
| PrevObjectOwner | String | The owner of the object from the previous scan. Empty string if no previous object exists. |
| PrevObjectMTime | Datetime | The modification time (mtime) of the object from the previous scan or empty if no previous object exists. (YYYY-MM-DDThh:mm:ss) |
| PrevObjectDigest | String | The calculated digest (checksum) value from the previous scan. Empty string if no previous object exists. |
| PrevObjectAttributes | Integer | The attributes of the object from the previous scan as bit-wise integer value. 0 if no previous object exists. |
Please refer to The Web User Interface (UI) → File Integrity Monitoring page in this User Guide for instructions on how to configure periodic FIM scans in the Snare Agent.