Orca File Integrity Monitoring (FIM) creates a baseline (or a snapshot) of critical Windows and Linux system files in your cloud accounts, which involves calculating hash values for each file and reporting any deviations from the baseline between scans.
Orca FIM is disabled by default but can be enabled for your entire organization (all connected cloud accounts) or one or more single cloud accounts of your choice.
- Enable FIM for your entire organization (all connected cloud accounts)
- Enable FIM for a specific cloud account
- Example FIM alerts
- Notes on FIM functionality
Enable FIM for your entire organization (all connected cloud accounts)
- Navigate to Settings ( icon) from the main menu on the left.
- Select Accounts from the Settings submenu.
- From the upper-right section of the page, click the Advanced Settings icon.
- Toggle the Enable FIM switch under “File Integrity Monitoring”.
Enable FIM for a specific cloud account
- From the Accounts page (steps 1 and 2 above), click the vertical ellipsis at the end of the cloud account row for which you wish to enable FIM, and choose Advanced Settings.
- From the cloud account Advanced Settings dialog window, toggle the Enable FIM switch under “File Integrity Monitoring”.
Example FIM alerts
This is an example of what FIM alerts look like. Here you see two FIM alerts with clear data that shows the changed files. The Alerts tell you exactly which files or folders (from the monitored resources list) changed and exactly where those files are located. The first example shows a file that was changed in a VM and the second shows three files that were changed in a container.
This is an example of what a FIM alert looks like from an asset view. By looking at the asset page, you can see the related FIM alerts in the File integrity tab.
Notes on FIM functionality
- The initial baseline is created the next time Orca scans your cloud environment after you enable FIM. Learn more about how often Orca scans and how to manually initiate a scan.
- While FIM is enabled, the baseline is recreated every 30 days.
- You can investigate FIM alerts just like any other security alerts.
- There is no option at this time to customize the monitored resources list.