File Integrity Monitoring (FIM) is a system or process that monitors directories and files for changes. FIM’s primary purpose is to be able to identify possible undesirable changes so system administrators can take an appropriate course of action. FIM can be configured to monitor multiple files and directories at the same time and generate events if any files have been added, removed, renamed or modified. In addition, any changes to the attributes of the file are also detected and reported. Once a FIM event has been sent for a detected change, a new baseline is automatically set to stop the event being generated again. 

FIM configurations can be created, viewed and modified from the File Integrity Monitoring section. From this page:

• Select Add to create a new file integrity monitor
• Modify to update an existing file integrity monitor
• Delete to remove the configuration

Editing a File Integrity Monitor Configuration

The following parameters for the monitor inputs may be set:

• Select the Schedule. Select the period in which the file integrity monitor should start scanning for changes. Select from Midnight, Hourly or Custom.  The customer options are in cron format, so knowledge of cron is required.  For example, 
  15 10 * * * defines a schedule that runs at 10.15am daily
  0 2 * * * defines a schedule that runs at 2am daily
  * will scan every minute
  @daily defines a schedule that runs daily at midnight.
  @hourly defines a schedule that runs every hour on the hour.
• Severity Level. A severity level may be assigned to designate events based on the level of importance for quick identification for each destination format type ie., Snare, Syslog, CEF, LEEF using the drop down lists.

• • Snare - Critical, Priority, Warning, Information, Clear
  • Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
  • CEF - 0 - 10, 0 is least severe and 10 is most severe
  • LEEF - 1 - 10, 1 is least severe and 10 is most severe.

• File or Directory. The path must be defined as the fully qualified path to the desired log file or the fully qualified path to the directory to monitor. To indicate one or more subdirectories (recursion) that should be monitored, use the * wildcard.
  For example, to match on a particular log file:
     C:\mylogfiles\filetowatch.log
  For example, to recursively search for a match within subdirectories:
     C:\mylogfiles\*
  
  

  If there are many directories and files to recurse through, this may take some time to complete.
• Inclusion Format: Allows you to specify the file name or pattern you are targeting. Wildcards are accepted, e.g. filetowatch*.log, using '*' and '?' expressions, or to include all files use *. 
• Exclusion Format: Allows you to specify the file name or pattern that is to be excluded. Wildcards are accepted, e.g. filetowatch*.log, using '*' and '?' expressions.

1. Click on Change Configuration to save any changes to the registry and to return to the File Integrity Monitor Configuration main page.  It will summarise the details of the log files to monitor. 
2. Click on the Apply Configuration & Restart Service menu item.

To review the file integrity monitoring events, click on the Latest Events menu item and select the File Integrity button.  This will restrict the display of latest events to only FIM events. Note that no events will be generated unless there is a valid destination configured to which to send them.