With FIM, you receive real-time updates about anomalous activities that are detected. These updates (events) are sent with complete granular details such as who-what-when-where, about the changes occurring within the scope of your monitored area. Events can be expected and authorized or unexpected and malicious.
FIM provides one central location for viewing all of the events detected across all of your assets. The Events tab contains capabilities to search for events, group by options, and download the results.
Use tabs in the Events section to quickly identify:
(1) All Events: Events detected across all of your assets are listed under this tab.
(2) Event Review: Your can take actions such as ignore events or create incidents on the registered events from this tab.
(3) Ignored: Events ignored from the Event Review tab are moved to this tab.
Note: To add a folder path for file.fullPath and actor.imagePath QQL, user should avoid using “ \” at the end of the path as it results in invalid QQL while searching.
You can search events based on some criteria using the Qualys Query Language (QQL). For more information on QQL, see Search Tutorial and How to search. These searches can then be saved using the "Save this Search Query" option. For more information, refer to the Search Action topic.
Clicking Event Details in the Quick Actions for an event brings up the Event Details page. This page provides complete information about the FIM event.
Have an event you don't need to track? Ignore it to move it out of your list.
Go to Events > Event Review and select specific events and choose Ignore Events from the Actions menu. Optionally, choose Ignore All Matching Events to ignore all events that are currently matching your query for the timeframe that you've selected. Ignored events are moved to the Ignored list. Note - You may get similar events in the future that will appear in your Events list and you'll want to ignore those too.
Alternately, click an event to go to the Event details page. Select Ignore option from the Actions menu.
Did you ignore an event by mistake? No worries. Easily restore any ignored event from the Ignored list.
Ignore an event and at the same time modify the monitoring profile rule or rules that triggered the event. Identify the event and then click the event to go to the Event details page. From the Actions menu, choose Ignore and Whitelist. This option is unavailable 1) for events for which incidents are created and 2) events that are created for the profiles rules that are imported from the profile library and profile rules for which you have set Rule Type as File.
You'll see a list of profiles and rules associated with the event and a new exclude filter for the target directory or file. Feel free to make changes to the exclude filter before saving it. Once you hit Save, we'll add the exclude filter to the selected profile rules. The event will be moved to the Ignored list and new events will not be generated for the excluded directory/file.
Search for events that are generated by the same process or user or for the same filename, file path or rule. Drill Down an event and on the Event details page, click the Actions menu on the top. Select Find similar events and then choose a filter to view events that matches the value of the filter for the selected event.
For example, choose the Process filter to view all the events that are generated by the same process as the current event.
Go to Events > Event Review to see the events that are waiting to be reviewed.
Enter your search query to find related changes that are part of the same incident, and click Create Incident. All events matching your query will be included in the incident. You'll have the opportunity to review the incident and decide if it's valid.