/
FIM Log Analysis

FIM Log Analysis

Owned by Steve Challans
Last updated: Sept 20, 2019

The FIM Log Analysis page reports on the FIM logs the Snare agents create using the FIM modules from 5.1.0 and later, as of 5.2.0 it also covers registry key change activity. The FIM logs can contain records for files or registry keys that are NEW, CHANGE, or DELETE activity on a system. The dashboard shows the FIM log rates over time, the summary of actions performed being NEW, CHANGE or DELETE, File Owner Information, the Systems the changes came from, and the actual objects being changed. Each of the dashboard elements allow the security team to review and see what changes have occurred and then link back these changes to approved activity via their change control systems or processes. If this is being used for incident detection then the time filter can be used to narrow down the date and time periods the investigation is for using the standard date and time filter on the top right of the page. As with other pages the drill through will be populated with data when dashboard elements are clicked on to see more of the raw data from the relevant system or files that were changed. 

v2 Dashboards

Related content

Snare File FIM Activity
Snare File FIM Activity
Snare Central v8 Documentation
More like this
Snare Registry RIM Activity
Snare Registry RIM Activity
Snare Central v8 Documentation
More like this
Latest Events
Latest Events
Snare Linux Agent v5 Documentation
More like this
Appendix F - FIM Event Format
Appendix F - FIM Event Format
Snare Windows Agent v5 Documentation
More like this
File and Registry Activity Dashboards
File and Registry Activity Dashboards
Snare Central v8 Documentation
More like this
Appendix D - FIM Event Format
Appendix D - FIM Event Format
Snare macOS Agent v5 Documentation
More like this