This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

File Integrity Monitoring - So many events generated for a single file copy - How can I reduce?

I started using FIM today.  I copied a single .exe file to C:\ on a system I monitor with FIM Connector.  This generated 80 events with identical information.  Is there a way to reduce the number of events generated by a single file copy, delete, etc.?  I saw a post about using alerts and filtering that way.  We only allow admins to log into the servers anyways.  So filtering on non admin logins would not work here.

Is there another way to reduce the potential email traffic that would be generated?

Thank You

Steve

  • I don't think there is a way to reduce the actual events that FIM is recording.  If you are sending an alert for each time you have a FIM event, you should be able to reduce the amount of emails sent by editing the rule that is sending those emails and modifying the 'correlation times' to however high still triggers an email, but also doesn't super-spam you.  You may need to experiment a bit and also look at the logs themselves to see what you're dealing with.

  • Thanks whpd!

    I will try this and let you know!

  • I have had the same issue with various clients.  It's different for every single client as they all have different audit policies.  Playing with the correlation time is the only way.

    This is something I used for a client in looking for an file open (ignore the last line with the HR Admin).  Note the correlation time as 6 events within 2 seconds which worked for one client.  Another client required 4 events within 8 seconds.

    1.PNG