Home > Configure FIM Profile

Create a Profile

You can create a profile based on the organization requirements. Here, we have explained the best practises, do's & don'ts while creating a profile.

Best practices while creating Rules in a profile:

- Avoid monitoring everything inside a folder or folders under it. Using Inclusion or Exclusion filters will reduce the false positives to a good extent.

- Avoid selecting All event actions to be monitored. Instead select only what’s required in order to curb noise issues.

- Log files serve as digital footprints and are critical. But if such files are monitored for content changes, then it will overwhelm the platform with events as log files are written on continuous basis. Hence, log files should be monitored for Security modifications and deletions.

- Keep the monitoring rule simple. Making the rule unnecessarily complex will lead to ambiguity. For example, it’s better to exclude the whole directory instead of writing 50 file type exclusions.

- Depth of the folder to be monitored should be kept max to 3 unless required otherwise. This will not only optimize the scan time but also reduces CPU load and agent processing.

To Create a Monitoring Profile

Go to Configuration > Profiles and click Create New Profile.

Create New Profile.

Step 1: Profile Details

On the Profile Details page, add the following information and click Next.

- Profile Name: The name of the profile.

- Operating System: Select the required operating system from the drop-down list. You'll need to create separate profiles for Windows and Linux.

- Category: Select the required compliance category from the drop-down list. Click Manage to add a new Category, if required.

- Description: The description about the profile.

Create a Profile

Step 2: Rules

On the Rules page, you can create sections and rules.

Sections:

Sections are created to group rules in distinct categories.

To create a section, click New Section and provide the following details:

- Section name: Name of the section. Example: Configuration Files, Authentication Files, Critical Binaries and Executable, Log Files etc.

- Description: A brief description about the section.

- Category: Select the required compliance category from the drop-down list. Click Manage to add a new Category, if required.

- References: Map the section to the relevant compliance standards it adheres. You can click +Add another Reference option to add multiple reference standards.

   Example: Information System Monitoring ( Link: https://nvd.nist.gov/800-53/Rev4/control/SI-4).             

After you add all the above details, click Save to create the section. Similarly, you can create all the sections required for the profile at once.

Note: If you delete a section, all the rules under the section are also deleted.

Section created

Rules:

Rules list the absolute paths for files and directories that you want FIM to monitor for any changes.

To create a rule, click New Rule and provide the following details:

- Rule Name: Name of the rule.

- Description: Purpose of the rule.

- Section: Select the required section from the drop-down list. You can also click Create Section option to create a new section.

- Rule Type: Currently, Qualys FIM supports two types of rules:

---- Directory Type - Select this rule type and provide the directory name (absolute path) on which real-time monitoring needs to be enabled.

---- File Type - Select this rule type when you want to monitor a specific file for any kind of activity on it.

- Severity: Using this parameter, you can define the criticality of that file path to be monitored. The severity levels range from 1 to 5, where 5 is the highest.

- File Path: The file path to be monitored, ensure you do not put spaces in the beginning or end of the file path. The File Path option is displayed if you select the Rule Type as File.

- Monitor the Files for: Select the action(s) that should trigger events for the selected file path. This option is displayed if you select the Rule Type as File.

- Monitor the Directory structure for: Select the action(s) that should trigger events for the selected Directory. This option is displayed if you select the Rule Type as Directory.

- Monitor the files within the directory structure for:  Select the action(s) that should trigger events for the files within the selected Directory. This option is displayed if you select the Rule Type as Directory.

- Directory Path: The directory base path to be monitored. This option is displayed only if you select the Rule Type as Directory.

Note that in the Directory Path if you specify only a Windows root directory without any subdirectory (e.g. only drive names with or without slash (C:, D:, C:\, D:\) then at least one Inclusion or exclusion filter is required. Similarly, if you specify only a Linux root directory without any subdirectory (e.g. /, /root, /var, /opt, /usr) then at least one Inclusion or exclusion filter is required.

- Depth: The depth of directory traversal . The depth you choose indicates till which level monitoring is enabled in the hierarchical directory structure. This feature is introduced to reduce load on the agent and to monitor the paths only till a certain required level instead of monitoring everything and returning false positives.

If the scope of monitoring inside a directory is unknown, then the best practice is to put a depth of 3. This is done to ensure that the scanning does not descend into further subdirectory levels, which not only optimizes the scan time but also reduces CPU load and agent processing.

New Rule

- Advanced Option: If you choose Directory as the Rule Type, you can click Advanced Options to include or exclude specific patterns of files or directories within that directory. Using the Include and Exclude filters you can further fine tune the monitoring rules to reduce the number of false positives.

---- Targeting: Currently, Inclusion and Exclusion filters can be applied on Directories (to include/exclude the folders) or Files (to include/exclude the files).

Advanced option

Inclusion and Exclusion filters

The Include filter monitors only what is specified to be included and excludes everything else outside of the specification. This property makes the filter effective for noise cancellation. For example, you wants to monitor any modification done on the log files. Here, Inclusion filter will be [*.log], which means if modifications are made on any other files apart from [*.log], events are not generated.

Include Filter

The Exclude filter works exactly opposite to that of Inclusion. Here, specify the type of files or directories you don’t want an event for. There could be certain file modification activities that are harmless, and you may not want an event to be generated for them. Such files are mentioned in the Exclusion filters. Events are not generated when an activity on the asset matches the Exclusion filters. This also reduces noise to a good extent.

We have guidelines for specifying patterns for excluding/including Windows/Linux files or directories. See Guidelines for Creating Patterns in Inclusion/Exclusion Filters.

Exclude Filter

Step 3: Assign Assets

You can select individual assets in your account or assign asset tags in order to monitor all matching assets automatically.

We recommend you to create asset tags and assign the assets tags to profiles if the number of assets to be monitored in the profile exceeds 50.

Once you add the assets and tags, click Save. The profile is created and displayed under the Profiles tab. By default, the profile is in inactive state, you must activate the profile to associate it with the asset.

Assign Assets

Reference Topics

Import a Profile from Qualys Library

Clone a Profile

Activate and Deactivate a Profile

Delete a Profile

Guidelines for Creating Patterns in Inclusion/Exclusion Filters