Appendix F - FIM Event Format

Example of the File Integrity Monitoring (FIM) events generated by a Snare Enterprise Agent for Windows:

Note

This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats (i.e. SYSLOG)

Below is a table describing the contents of a FIM Event generated by Snare Agent. 

FieldTypeDescription
HostnameStringThe host name of the originating computer.
EventTypeStringFIMLog - the type of event generated.

SecurityLevel

IntegerThe severity level (Criticality) of the generated event.
EventTimeDatetimeThe time at which the modification was detected. (YYYY-MM-DDThh:mm:ss)
DigestTypeStringSHA512 - the hashing algorithm used.
EventActionStringOne of CHANGE, DELETE, RENAME or NEW.
ObjectTypeStringFILE
ObjectNameStringThe full path name of the object that has been added, removed, changed or renamed.
ObjectSizeIntegerThe size of the object in bytes after the modification. 
ObjectOwnerStringThe owner of the object that the change was detected on.
ObjectMTimeDatetimeThe modification time (mtime) of the object when the change is detected. (YYYY-MM-DDThh:mm:ss)
ObjectDigestStringThe calculated digest (checksum) value.
ObjectAttributesIntegerThe attributes of the object as a bit-wise integer value.
PrevObjectNameStringThe name of the object that had been added, removed, changed or renamed from the previous scan or empty if no previous object exists.
PrevObjectSizeIntegerThe size of the object in bytes from the previous scan.  0 if no previous object exists.
PrevObjectOwnerStringThe owner of the object from the previous scan. Empty string if no previous object exists.
PrevObjectMTimeDatetimeThe modification time (mtime) of the object from the previous scan or empty if no previous object exists. (YYYY-MM-DDThh:mm:ss)
PrevObjectDigestString

The calculated digest (checksum) value from the previous scan. Empty string if no previous object exists.

PrevObjectAttributesIntegerThe attributes of the object from the previous scan as bit-wise integer value. 0 if no previous object exists.

Please refer to The Web User Interface (UI) → File Integrity Monitoring page in this User Guide for instructions on how to configure periodic FIM scans in the Snare Agent.