FIM enables users to know reputation status of files. Based on the file content hash, file reputation status is derived.
Reputation status of files can be seen in Events Details page for Events of type Create and Content. The source of Event Enrichment for File Reputation Status is Centralized Qualys Threat DB.
The file type can be any among: MALICIOUS/SUSPICIOUS/KNOWN/UNKNOWN/UNAVAILABLE.
- MALICIOUS : Indicates the file is a confirm threat or malware or part of malware.
- SUSPICIOUS : Indicates the file could be possible or potential threat, but not confirmed.
- KNOWN : Indicates the file is non-malicious or benign.
- UNKNOWN : Indicates the file status is yet to be identified.
- UNAVAILABLE : Status is not available in Centralized Qualys Threat DB.
Event Filtering is possible using the search tokens.
For Windows, it is applicable for PE files only and for Linux, it is applicable for all types of files.
Go to Events Details page to view the events in detail.
Automatic Incident Creation for Malicious Events