Activity monitors provide a key advantage to security programs by identifying modifications to specific files or paths. These may be critical system files, paths containing valuable intellectual property, or files that must be tracked for regulatory or compliance purposes.
You can use activity monitors to observe file modifications and leverage detection engines that can pull double duty by identifying file modifications of interest.
Creating a file modification activity monitor
You can create an activity monitor that identifies the creation, modification, or deletion of specific files on your endpoints. These monitors are dependent on the fidelity of file telemetry collected by your EDR/EPP sensor (not all sensors record file activity for all files).
To create a file modification activity monitor:
- Click More > File activity monitors.
- Click New file activity monitor.
- Configure your monitor by completing the form.
- Click Save.
Viewing matches
You can view endpoint activities that match your activity monitor. This includes information about the endpoint, user, and process associated with the activity.
To view activity monitor matches:
- Click More > File activity monitors.
- Click matches found in the Results column.
- Review the list of matches.
Deleting a monitor
You can delete activity monitors that are no longer valuable for your team.
To delete an activity monitor:
- Click More > File activity monitors.
- Click the name of the monitor you would like to delete.
- Click Delete at the bottom of the form.
Trigger automation playbooks by activity monitors
You can trigger an automation playbook when an activity monitor matches endpoint activity. This enables both simple and complex automation using email, SMS, and any other supported automation actions.
To trigger an automation playbook when an activity monitor matches endpoint activity:
- Click Automations.
- Click New Trigger and select When a File Integrity Match occurs.
- Customize the trigger and associated playbooks as desired.