Monitoring changes to critical files and directories is an important part of any security program. Using Red Canary’s Activity Monitors, you can create monitors to notify you when files or directories of interest are created, modified, or deleted. 

Creating a New File Integrity Monitor

Activity Monitors can be accessed via the Hunting menu. Create a new monitor by selecting New File Modification Activity Monitor and specify the following:

  • Name - The name of your Activity Monitor
  • Monitor modifications to these file paths - A newline separated list of case insensitive paths for the Monitor to match on. The following wildcards are permitted:

    *  - Matches part of any file or directory
    **  - Matches zero or more directories
    ?  - Matches a single character
  • File operation types to monitor - The types of file modification activity to match: creation, modification, or deletion
  • When modifications ARE by these usernames - A newline separated list of case insensitive usernames for the Monitor to match on. This is set to * by default, matching all users performing the specified file modification.
  • When modifications ARE NOT by these usernames - A newline separated list of case insensitive usernames to exclude from the Monitor. Users in this list will not trigger this Activity Monitor. 

Once created, the Activity Monitor will record the specified file modification activity from that point forward. Matches are stored for 60 days before being purged.

Receiving Activity Monitor Notifications

By default, your Activity Monitor matches will populate the File Integrity Monitoring Matches Insight, located under the Hunting menu in your Portal. You can also see matches for a specific Monitor on the Activity Monitors page.

You can also configure Integrations for each Activity Monitor you create. Instructions for configuring these integrations can be found here.

Suggested Activity Monitors

Not sure where to start? Try several of these monitors suggested by our CIRT team and customers:

Password documents

Monitor modifications to these file paths:

**\passw*.txt
**\passw*.doc?
**\passw*.xls?
**\passw*.csv
**\pwd.txt
**\pwd.doc?
**\pwd.xls?
**\pwd.csv

SSH modifications

Monitor modifications to these file paths:

**/.ssh/*

Host file modifications

Monitor modifications to these file paths:

/etc/hosts
**\etc\hosts
/private/etc/hosts
Did this answer your question?