Orca provides a File Integrity Monitoring (FIM) solution for cloud accounts connected to your Orca account. It monitors changes in a set of critical files (from a baseline), classifies the type of change, and provides the user with information to take necessary actions. Orca FIM is primarily designed to meet regulatory compliance requirements. Learn how to enable FIM in your Orca account.
- Suggested use cases for FIM
- Orca's FIM architecture
- Critical files and folders
- Monitored changes and alerting
Suggested use cases for FIM
There are several use cases for FIM including:
- Threat detection
- Configuration management
- Remediation capabilities
Orca’s FIM solution addresses compliance and reporting use cases. Orca will monitor the integrity of critical system files and will report in a manner designed to meet compliance audit requirements.
Orca's FIM architecture
The method used by Orca to monitor file integrity compares the current scan to an established baseline.
The following is a current list of what Orca considers to be the key files that are monitored by default.
Critical files and folders
The files listed below are compared with the established baseline each time Orca scans your cloud environment.
Monitored changes and alerting
Orca's FIM examines the monitored files for the following changes:
- Name change
- Content change (for files only)
- Changes in attributes
A couple of points about how Orca FIM alerts work:
- Orca will issue an alert if one or more monitored file changes are detected. Creation/modification timestamps remain intact.
- Orca uses well-known hash sets for certain files and alerts you when the file hash changes from "well-known" to "unknown". This approach typically results in real, actionable alerts, and reduces the number of false positives.