With File Integrity Monitoring you can detect unauthorized changes to critical files by monitoring those files for changes over time.
Configure File Integrity Check Controls
You'll need a File Integrity Check control for each file. This control tells us the file you want to monitor and the hash type to be used for computing the file hash.
Add Controls to Your Policy
Create or edit a compliance policy and add your File Integrity controls to the policy. Be sure to also add the assets the controls apply to.
Edit the Compliance Profile
There are a few scan settings you'll want to enable in your compliance profile:
- Choose "File Integrity Monitoring controls enabled" under Control Types. This ensures that your File Integrity controls are included in the scan. Optionally, use Scan by Policy and we'll include all controls in your selected policy, including any File Integrity controls.
- If you selected "Use scan data as expected value" in your control, then you'll also want to choose "Auto Update expected value" in the profile.
Run Compliance Scans and Reports
If your File Integrity controls have "Use scan data as expected value" enabled, then we'll get the actual value from the initial scan and update the control in your policy for you. Learn how it works
If your File Integrity controls have .* (period asterisk) as the default expected value, then you'll need to copy the actual value from the report and add it to the control yourself. See the steps
Follow these steps to update the control value manually:
1) Run a compliance report to show the actual value for the file.
2) Edit the control - Copy the actual value from the compliance report and paste it into the Default Value field of the control.
3) Run another compliance scan. Your second scan (and any subsequent scans) will check the file against the default value.
4) Run another compliance report. Your second report (and any subsequent reports) will indicate any changes to the file.