Interpreting the FIM module analysis

FIM analysis results appear on the ThreatLockDown dashboard whenever there’s an addition, modification, or deletion of monitored files. You can view the FIM results in three different sections of the dashboard. To view results from the FIM module, navigate to File Integrity Monitoring on the ThreatLockDown dashboard. The results are in the following sections:

Inventory

This section displays an inventory of all files that the FIM module has indexed. The FIM database contains the inventory information including the filename, last modification date, user, user id, group, and file size. The image below shows the file inventory of an Ubuntu 20.04 endpoint.

Inventory

You can click a file entry to view the entry details such as the last time the FIM module analyzed the file and the file attributes. You can also view FIM alerts related to the file. The image below shows this information for the /etc/ld.so.preload file.

Entry details

Dashboard

The dashboard section shows an overview of the analysis results of the ThreatLockDown FIM module for:

  • All agents within an infrastructure.

  • A selected agent within an infrastructure.

You can view an example of the overview of FIM scan results for all monitored endpoints in the image below.

Dashboard

You can view an example of the overview of FIM scan results for an Ubuntu endpoint in the image below.

Overview of FIM scan results

Events

This section shows the alerts the ThreatLockDown FIM module triggered. Here you can see details such as the agent name, the file path of the monitored file, the type of FIM event, a description of the alert, and the rule level of the alert.

Events

In addition, you can expand each alert entry to display additional information about the event that triggered the alert.

Expanded alert entry