/
Appendix D - FIM Event Format
Appendix D - FIM Event Format
- Andrew Madge
- Mortuza.Ali (Unlicensed)
Owned by Andrew Madge
Example of the File Integrity Monitoring (FIM) events generated by a Snare Agent for Linux:
Note
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG)
Below is a table describing the contents of a FIM Event generated by Snare Agent.
| Field | Type | Description |
|---|---|---|
| Hostname | String | The host name of the originating computer. |
| EventType | String | FIMLog - the type of event generated. |
SecurityLevel | Integer | The severity level (Criticality) of the generated event. |
| EventTime | Datetime | The time at which the modification was detected. (YYYY-MM-DDThh:mm:ss) |
| DigestType | String | SHA512 - the hashing algorithm used. |
| EventAction | String | One of CHANGE, DELETE, RENAME or NEW. |
| ObjectType | String | FILE |
| ObjectName | String | The full path name of the object that has been added, removed, changed or renamed. |
| ObjectSize | Integer | The size of the object in bytes after the modification. |
| ObjectOwner | String | The owner of the object that the change was detected on. |
| ObjectMTime | Datetime | The modification time (mtime) of the object when the change is detected. (YYYY-MM-DDThh:mm:ss) |
| ObjectDigest | String | The calculated digest (checksum) value. |
| ObjectAttributes | Integer | The attributes of the object as a bit-wise integer value. |
| PrevObjectName | String | The name of the object that had been added, removed, changed or renamed from the previous scan or empty if no previous object exists. |
| PrevObjectSize | Integer | The size of the object in bytes from the previous scan. 0 if no previous object exists. |
| PrevObjectOwner | String | The owner of the object from the previous scan. Empty string if no previous object exists. |
| PrevObjectMTime | Datetime | The modification time (mtime) of the object from the previous scan or empty if no previous object exists. (YYYY-MM-DDThh:mm:ss) |
| PrevObjectDigest | String | The calculated digest (checksum) value from the previous scan. Empty string if no previous object exists. |
| PrevObjectAttributes | Integer | The attributes of the object from the previous scan as bit-wise integer value. 0 if no previous object exists. |
| EventSourceId (optional) | String | Additional data to be included in each event as specified in Event Options settings of the Agent |
Please refer to The Web User Interface (UI) → File Integrity Monitoring page in this User Guide for instructions on how to configure periodic FIM scans in the Snare Agent.
, multiple selections available,
Related content
Appendix F - FIM Event Format
Appendix F - FIM Event Format
More like this
Appendix D - FIM Event Format
Appendix D - FIM Event Format
More like this
File Integrity Monitoring
File Integrity Monitoring
More like this
File Integrity Monitoring
File Integrity Monitoring
More like this
Release Notes for Snare Windows Agent v5.1.0
Release Notes for Snare Windows Agent v5.1.0
More like this
Release Notes for Snare Windows Agent with Event Collection v5.1.3
Release Notes for Snare Windows Agent with Event Collection v5.1.3
More like this