FIM fields rule mapping
This guide aims to help you understand how FIM fields can be mapped into rules.
FIM - Alerts: fields correspondence
The following table establishes a correspondence between the decoded FIM fields and their counterpart in rules.
FIM field |
Alert field |
Field description |
---|---|---|
file |
path |
File path in the current event |
size |
size_after |
File size in the current event |
hard_links |
hard_links |
List of hard links of the file |
mode |
mode |
FIM event mode |
perm |
perm_after,win_perm_after |
File permissions |
uid |
uid_after |
User ID of the owner of the file |
gid |
gid_after |
Group ID of the group that shares ownership of the file |
uname |
uname_after |
User name of the owner of the file |
gname |
gname_after |
Group name of the group that shares ownership of the file |
md5 |
md5_after |
MD5 hash of the file in the current event (after changes) |
sha1 |
sha1_after |
SHA1 hash of the file in the current event (after changes) |
sha256 |
sha256_after |
SHA256 hash of the file in the current event (after changes) |
mtime |
mtime_after |
Timestamp of the file changes |
inode |
inode_after |
Inode of the file in the current event |
changed_content |
diff |
Reported changes on the file of the current event |
changed_fields |
changed_attributes |
Changed fields in the file (permissions, content, etc...) |
win_attributes |
attrs_after |
File attributes (hidden, read-only, etc...) |
tag |
tag |
Custom tags to be added to one specific event |
user_id |
audit.user.id |
The actual ID of the user that triggered the event |
user_name |
audit.user.name |
The actual name of the user that triggered the event |
group_id |
audit.group.id |
The actual group ID of the user that triggered the event |
group_name |
audit.group.name |
The actual group name of the user that triggered the event |
process_name |
audit.process.name |
The name of the process run by a user that triggered the event |
process_id |
audit.process.id |
The ID of the process run by a user that triggered the event |
ppid |
audit.process.ppid |
The parent ID of the process that triggered the event |
effective_uid |
audit.effective.user_id |
Effective user ID used by the process triggering the event |
effective_name |
audit.effective_user.name |
Effective user name used by the process triggering the event |
parent_name |
audit.process.parent_name |
The process name of the parent of the process triggering the event |
cwd |
audit.process.cwd |
Current work directory of the process triggering the event |
parent_cwd |
audit.process.parent_cwd |
Current work directory of the parent process |
audit_uid |
audit.login_user.id |
The ID of the user logged in to the system that triggered the event |
audit_name |
audit.login_user.name |
The name of the user logged in to the system that triggered the event |
arch |
arch |
Registry architecture (32 or 64 bits) |
value_name |
value_name |
Registry value name |
value_type |
value_type |
Registry value type |
entry_type |
entry_type |
Registry entry type |
Rule mapping examples
The following example rules aim to show how to apply FIM fields to correctly extract information from the FIM events. Every rule is shown alongside the FIM event that fires it and the subsequent alert if the rule does not silence it.
The first rule silence alerts from the change of permissions from mask 600 to mask 640.
<rule id="100002" level="0">
<if_sid>550</if_sid>
<field name="file">.log$</field>
<field name="changed_fields">^permission$</field>
<field name="perm">rw-r--r--r--</field>
<match>rw-------</match>
<description>Silence perm changes</description>
</rule>
{
"type": "event",
"data": {
"path": "/specialdir/file.log",
"mode": "whodata",
"type": "modified",
"timestamp": 1623745234,
"attributes": {
"type": "file",
"size": 0,
"perm": "rw-------",
"uid": "0",
"gid": "0",
"user_name": "root",
"group_name": "root",
"inode": 4352002,
"mtime": 1623665041,
"hash_md5": "d41d8cd98f00b204e9800998ecf8427e",
"hash_sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"hash_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"checksum": "25e338d1eca897691bacd33246c38650bdcd5630"
},
"changed_attributes": [
"permission"
],
"old_attributes": {
"type": "file",
"size": 0,
"perm": "rw-r--r--",
"uid": "0",
"gid": "0",
"user_name": "root",
"group_name": "root",
"inode": 4352002,
"mtime": 1623665041,
"hash_md5": "d41d8cd98f00b204e9800998ecf8427e",
"hash_sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"hash_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"checksum": "a1e1975f6f2799cb9f7e25af0b8f0bd1c4e183e4"
},
"audit": {
"user_id": "0",
"user_name": "root",
"process_name": "/usr/bin/chmod",
"process_id": 8866,
"cwd": "/specialdir",
"group_id": "0",
"group_name": "root",
"audit_uid": "1000",
"audit_name": "vagrant",
"effective_uid": "0",
"effective_name": "root",
"parent_name": "/usr/bin/bash",
"parent_cwd": "/specialdir",
"ppid": 3275
}
}
}
This second rule fires when a .txt file under a monitored directory is modified and contains the word keyword in it.
<rule id="100010" level="12">
<if_sid>550</if_sid>
<field name="file">.txt$</field>
<field name="changed_content">keyword</field>
<match>modified</match>
<description>Fire alert when .txt file is modified and contains word "keyword"</description>
</rule>
{
"type": "event",
"data": {
"path": "/test/file.txt",
"mode": "realtime",
"type": "modified",
"timestamp": 1623660202,
"attributes": {
"type": "file",
"size": 26,
"perm": "rw-r--r--",
"uid": "0",
"gid": "0",
"user_name": "root",
"group_name": "root",
"inode": 4096002,
"mtime": 1623660202,
"hash_md5": "126b42ce036035a50516f067aae33418",
"hash_sha1": "5b0c286906ea60075d47b22ceab830681e906365",
"hash_sha256": "d3c558c76a0c62e0917516a3aaf02d0512beb4ef6c1af19ca3c79e913cefcdfe",
"checksum": "6c895291c3c9c20acee3f822c429a0901a77f7b4"
},
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"old_attributes": {
"type": "file",
"size": 0,
"perm": "rw-r--r--",
"uid": "0",
"gid": "0",
"user_name": "root",
"group_name": "root",
"inode": 4096002,
"mtime": 1623660184,
"hash_md5": "d41d8cd98f00b204e9800998ecf8427e",
"hash_sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"hash_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"checksum": "eed9691633569779f515786b6eccbdbfd3dc1e1a"
},
"content_changes": "0a1\n> 12313213215681568 keyword\n"
}
}
{
"timestamp": "2021-06-14T08:43:22.999+0000",
"rule": {
"level": 12,
"description": "Fire alert when .txt file is modified and contains word \"keyword\"",
"id": "100010",
"firedtimes": 1,
"mail": true,
"groups": [
"local",
"syslog",
"sshd"
]
},
"agent": {
"id": "004",
"name": "ubuntu201",
"ip": "10.0.2.15"
},
"manager": {
"name": "ubuntu20"
},
"id": "1623660202.17987",
"full_log": "File '/test/file.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '26'\nOld modification time was: '1623660184', now it is '1623660202'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '126b42ce036035a50516f067aae33418'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : '5b0c286906ea60075d47b22ceab830681e906365'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : 'd3c558c76a0c62e0917516a3aaf02d0512beb4ef6c1af19ca3c79e913cefcdfe'\n",
"syscheck": {
"path": "/test/file.txt",
"mode": "realtime",
"size_before": "0",
"size_after": "26",
"perm_after": "rw-r--r--",
"uid_after": "0",
"gid_after": "0",
"md5_before": "d41d8cd98f00b204e9800998ecf8427e",
"md5_after": "126b42ce036035a50516f067aae33418",
"sha1_before": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha1_after": "5b0c286906ea60075d47b22ceab830681e906365",
"sha256_before": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"sha256_after": "d3c558c76a0c62e0917516a3aaf02d0512beb4ef6c1af19ca3c79e913cefcdfe",
"uname_after": "root",
"gname_after": "root",
"mtime_before": "2021-06-14T08:43:04",
"mtime_after": "2021-06-14T08:43:22",
"inode_after": 4096002,
"diff": "0a1\n> 12313213215681568 keyword\n",
"changed_attributes": [
"size",
"mtime",
"md5",
"sha1",
"sha256"
],
"event": "modified"
},
"decoder": {
"name": "syscheck_integrity_changed"
},
"location": "syscheck"
}
In the next example, the rule silence the deletion of files by the windows explorer.exe process with admin privileges.
<rule id="100011" level="0">
<if_sid>553</if_sid>
<field name="process_name">explorer.exe$</field>
<field name="uname">Administradores$</field>
<match>deleted</match>
<description>Silence delete events triggered by windows explorer with admin privileges</description>
</rule>
{
"type": "event",
"data": {
"path": "c:\\test\\adasdasd.txt",
"version": 2,
"mode": "whodata",
"type": "deleted",
"timestamp": 1623666683,
"attributes": {
"type": "file",
"size": 40,
"perm": "Administradores (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes, SYSTEM (allowed): delete|read_control|write_dac|write_owner|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes, Usuarios (allowed): read_control|synchronize|read_data|read_ea|execute|read_attributes, Usuarios autentificados (allowed): delete|read_control|synchronize|read_data|write_data|append_data|read_ea|write_ea|execute|read_attributes|write_attributes",
"uid": "S-1-5-32-544",
"user_name": "Administradores",
"inode": 0,
"mtime": 1623408349,
"hash_md5": "786e0bf0ffc3c466b19d4e68d7c6f155",
"hash_sha1": "99028323b4d6b4b2db9c7fc73d3887163598865c",
"hash_sha256": "c0fc9e1e16ea610b3627af0b91eb623ac74dfde6943e40361de9a3447fed81b4",
"attributes": "ARCHIVE",
"checksum": "9384acf30012c15bd72f5ca435b4b0d41ec55ae2"
},
"audit": {
"user_id": "S-1-5-21-3527455827-79240758-596275861-1001",
"user_name": "jmv74211",
"process_name": "C:\\Windows\\explorer.exe",
"process_id": 2484
}
}
}
The last rule aims to silence any alert coming from a file created with touch command and the following restrictions: the father directory of the file is /specialdir, the group id and effective uid of the user adding the file are 0, the audit_uid of the user is 1000 and his audit name is vagrant.
<rule id="100012" level="0">
<if_sid>554</if_sid>
<field name="parent_cwd">/specialdir</field>
<field name="process_name">/usr/bin/touch</field>
<field name="group_id">0</field>
<field name="effective_uid">0</field>
<field name="audit_name">vagrant</field>
<field name="audit_uid">1000</field>
<match>added</match>
<description>Silence added event created with touch command in parent's current directory /specialdir with group ID 0,
effective user ID 0, audit ID 1000 and audit user name vagrant</description>
</rule>
{
"type": "event",
"data": {
"path": "/specialdir/file.txt",
"mode": "whodata",
"type": "added",
"timestamp": 1623665041,
"attributes": {
"type": "file",
"size": 0,
"perm": "rw-r--r--",
"uid": "0",
"gid": "0",
"user_name": "root",
"group_name": "root",
"inode": 4352002,
"mtime": 1623665041,
"hash_md5": "d41d8cd98f00b204e9800998ecf8427e",
"hash_sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"hash_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"checksum": "a1e1975f6f2799cb9f7e25af0b8f0bd1c4e183e4"
},
"audit": {
"user_id": "0",
"user_name": "root",
"process_name": "/usr/bin/touch",
"process_id": 53794,
"cwd": "/specialdir",
"group_id": "0",
"group_name": "root",
"audit_uid": "1000",
"audit_name": "vagrant",
"effective_uid": "0",
"effective_name": "root",
"parent_name": "/usr/bin/bash",
"parent_cwd": "/specialdir",
"ppid": 44025
}
}
}