Armor Knowledge Base
Space shortcuts
Page tree

Versions Compared

Old Version 52

changes.mady.by.user Scott Beetley

Saved on

compared with

New Version Current

changes.mady.by.user Scott Beetley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Content Layer
id443964836
Content Column
id443964847
Content Block
background-color$lightGrayColor
id443964835

Topics Discussed

Table of Contents
maxLevel4
minLevel3

Content Block
id443964837
Note

To fully use this screen, you must add the following permission to your account:

  • Read FIM

Anchor
Enable Trend Sub-Agent
Enable Trend Sub-Agent
Enable Trend Sub-Agent

As a prerequisite to installing File Integrity Monitoring, you must install the Trend sub-agent. Use the following commands to manage the Trend sub-agent.

Recommendation Scans

One of the features available in Agent 3.0 is Recommendation scans. Recommendation scans provide a good starting point for establishing a list of rules that you should implement. During a recommendation scan, the Armor Agent scans the operating system for installed applications, the Windows registry, open ports, and more. To take advantage of Recommendation scans, turn on Ongoing Recommendation scans in the Toolbox. 

Info

Recommendation Scans work in tandem with the Auto-Apply configuration for FIM. The results of the Recommendation Scan can only be applied when Auto-Apply for the FIM service is turned on. 


Install Trend Sub-Agent:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend install
Linux: /opt/armor/armor trend install


Uninstall Trend Sub-Agent:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend uninstall
Linux: /opt/armor/armor trend uninstall


Trend Sub-Agent Status:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend status
Linux: /opt/armor/armor trend status


Turn On Recommended Scans:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan on
Linux: /opt/armor/armor trend ongoing-recommendation-scan on


Turn Off Recommended Scans:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend ongoing-recommendation-scan off
Linux: /opt/armor/armor trend ongoing-recommendation-scan off


Schedule a Recommended Scan (Runs on Next Trend Sub-Agent Heartbeat):

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend recommendation-scan
Linux: /opt/armor/armor trend recommendation-scan


Set Recommendation Scan Interval:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend set-recommendation-scan-interval <interval>
Linux: /opt/armor/armor set-recommendation-scan-interval <interval>
Info
 Options are  "24 Hours" "2 Days" "3 Days" "7 Days" "2 Weeks" "3 Weeks" "4 Weeks"


Get Recommendation Scan Interval:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend get-recommendation-scan-interval
Linux: /opt/armor/armor trend get-recommendation-scan-interval


Trend Sub-Agent Help

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend help
Linux: /opt/armor/armor trend help


Restart Trend:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe trend service-restart
Linux: /opt/armor/armor trend service-restart


Anchor
Enable File Integrity Monitoring Service
Enable File Integrity Monitoring Service
Enable File Integrity Monitoring Service

Use the following commands to manage the File Integrity Monitoring service.


Turn On File Integrity Monitoring:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim on
Linux: /opt/armor/armor fim on

Optional Parameters
Windows: C:\.armor\opt\armor.exe fim on auto-apply-recommendations=on
Linux: /opt/armor/armor fim on auto-apply-recommendations=on

Windows: C:\.armor\opt\armor.exe fim on auto-apply-recommendations=off
Linux: /opt/armor/armor fim on auto-apply-recommendations=off
Info

The Auto-Apply configuration for FIM works in tandem with Recommendation Scans. Only after a Recommendation Scan is run will there be policies to Auto-Apply. 


Turn Off File Integrity Monitoring:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim off
Linux: /opt/armor/armor fim off


List of Assigned FIM Rules on Policy:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim list-assigned-rules
Linux: /opt/armor/armor fim list-assigned-rules


Assign FIM Rules:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim assign-rules ID
Linux: /opt/armor/armor fim assign-rules ID


Un-Assign FIM Rule:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim unassign-rule ID
Linux: /opt/armor/armor fim unassign-rule ID


File Integrity Monitoring Help

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim help
Linux: /opt/armor/armor fim help


Add Custom Filepath Rule

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim add-custom-filepath-rule "<name>,<filepath>,<description>"
Linux: /opt/armor/armor fim add-custom-filepath-rule "<name>,<filepath>,<description>"


Update Custom Filepath Rule

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim update-custom-filepath-rule "<id>,<name>,<filepath>,<description>"
Linux: /opt/armor/armor fim update-custom-filepath-rule "<id>,<name>,<filepath>,<description>"


Delete Custom Filepath Rule

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim delete-custom-filepath-rule "<id>"
Linux: /opt/armor/armor fim delete-custom-filepath-rule "<id>"


Get Custom Filepath Rule

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe fim get-custom-filepath-rule "<id>"
Linux: /opt/armor/armor fim get-custom-filepath-rule "<id>"


Anchor
View FIM data
View FIM data
View FIM Data

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click File Integrity Monitoring.

Column

Description

Name

For Armor Complete, the name of the virtual machine you created in AMP.

For Armor Anywhere, the name of the instance that contains the installed Anywhere agent, which includes the FIM sub-agent.

Provider

For Armor Complete, the entry will display Armor.

For Armor Anywhere, the name of the public cloud provider for the instance.

Status

The health status of the sub-agent, which is based on how long the FIM sub-agent has been offline.

There are three status types:

  • Secured (in green)
  • Warning (in yellow)
  • Critical (in red)
Connectivity

The connection status of the sub-agent.

There are three connection types:

  • Online indicates that the sub-agent is online.
  • Offline indicates that the sub-agent is currently offline.
  • Needs Attention indicates that the sub-agent has not communicated with Armor.
Timestamp

The date and time that the FIM sub-agent last communicated with Armor.

To learn how the overall FIM status is determined, see Understand FIM data.


Anchor
Understand FIM data
Understand FIM data
Understand FIM Data

Excerpt Include
ESLP:Understand FIM status (snippet)
ESLP:Understand FIM status (snippet)
nopaneltrue


Anchor
View FIM detail
View FIM detail
View Detailed FIM Data

The File Integrity Monitoring details screen displays the changes that has been detected in certain files in your virtual machine. This screen only shows data for the last 90 days. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security

  2. Click File Integrity Monitoring.

  3. Locate and select the desired virtual machine. 

Column

Description

Filename

The name of the file where a change was detected.

Description

A short summary of the change that took place.

Change Type

The type of change that took place in the file.

Scan DateThe date when the change was detected.


Anchor
Export File Integrity Monitoring (FIM) data
Export File Integrity Monitoring (FIM) data
Export FIM Data

To export the data: 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click File Integrity Monitoring.
  3. (Optional) Use the filter function to customize the data displayed. 

  4. Below the table, click CSV. You have the option to export all the data (All) or only the data that appears on the current screen (Current Set). 

    Function

    Data Displayed

    Notes

    CSVVM Name, VM Provider, IP Address, OS, FIM Agent Status Fixed, FIM Agent Version, FIM Last Communication DateA blank entry indicates that the action has never taken place.
Info

Anchor
Troubleshoot FIM
Troubleshoot FIM
Troubleshooting

Armor troubleshoots servers that contain File Integrity Monitoring sub-components in a Warning or Critical status. To troubleshoot with Armor, you must submit a support ticket.

  1. In the Armor Management Portal (AMP), click Support, and then click Tickets
  2. Click Create a Ticket.
  3. Select or search for the desired category for your ticket request type.
  4. Complete the missing fields.
    1. In Description, enter useful details that can help Armor quickly troubleshoot the problem.
  5. Click Create
  6. To view the status of your ticket, in the left-side navigation, click Support, and then click Tickets


Anchor
Log Search for File Integrity Monitoring
Log Search for File Integrity Monitoring
Log Search for File Integrity Monitoring

Users can search for FIM events in Log Search. For instructions on how to access and use Log Search, please see our documentation here

An example of FIM logs can be seen below: 

For a full list of Log Search fields and descriptions, please visit our glossary here

Was this helpful?

Rate Macro

Scrolltotop



Armor Defense Inc. Copyright © 2020. All rights reserved.