LimaCharlie's File & Registry Integrity Monitoring capability allows you to monitor specific directories or registry paths for changes. To monitor directory or registry path changes, you will need to create an Integrity Rule. To do this, navigate to File & Registry Integrity Monitoring section and click New Rule.
Next, enter the name of your rule, select at least one platform and provide patterns to be monitored. Optionally, enter a tag if you would like to monitor boxes marked with a specific tag.
When a change is detected, File & Registry Integrity Monitoring won't automatically generate an alert. Instead, it will create a FIM_HIT event which allows you to choose how you want to respond and create a D&R rule to send an alert, build an automation etc.
An example of a detection and response rule would be as follows.
DETECTION:
event: FIM_HIT
op: exists
path: /
RESPONSE:
- action: report
name: FIM Hit
Visit LimaCharlie technical documentation to learn more about File & Registry Integrity Monitoring.