Login
      Contents x
      Set Up File Integrity Monitoring
      • 20 Aug 2024
      • 1 Minute to read
      • PDF
      Contents

      Set Up File Integrity Monitoring

      • Updated on 20 Aug 2024
      • 1 Minute to read
      • PDF
      Article summary

      Activity monitors provide a key advantage to security programs by identifying modifications to specific files or paths. These may be critical system files, paths containing valuable intellectual property, or files that must be tracked for regulatory or compliance purposes.

      You can use activity monitors to observe file modifications and leverage detection engines that can pull double duty by identifying file modifications of interest.

      This feature is not currently supported with Linux EDR.

      Create a file modification activity monitor

      You can create an activity monitor that identifies the creation, modification, or deletion of specific files on your endpoints. These monitors are dependent on the fidelity of file telemetry collected by your EDR/EPP sensor (not all sensors record file activity for all files).

      1. From the navigation menu, click the Analytics dropdown, and then click File Activity Monitors.

      2. Click New file activity monitor.

      3. Select which EDR service a file activity monitor can be used for.

        Note: Network file paths are not supported with this feature. (Example: //192.168.0.1/home)

      4. Configure your monitor by completing the form.

        Note: You can specify either whole directories or individual files for each activity monitor.

      5. Click Save.

      View endpoint activity matches

      You can view endpoint activities that match your activity monitor. This includes information about the endpoint, user, and process associated with the activity. 

      1. From your Red Canary dashboard, click the Analytics dropdown, and then click File Activity Monitors.

      2. Click matches found in the Results column.

      3. Review the list of matches.

      Delete an activity monitor

      You can delete activity monitors that are no longer valuable for your team.

      1. From your Red Canary dashboard, click the Analytics dropdown, and then click File Activity Monitors.

      2. Click the name of the monitor you would like to delete. 

      3. Click Delete.

      Trigger automation playbooks by activity monitors

      You can trigger an automation playbook when an activity monitor matches endpoint activity. This enables both simple and complex automation using email, SMS, and any other supported automation actions.

      1. From your Red Canary dashboard, click Automation.

      2. Click the Configure new trigger dropdown, and then select When a File Integrity Match occurs.

      3. Customize the trigger and connect the associated playbooks as desired.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout