Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 3521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to understand the File Integrity Monitoring Log file ?

Kandarp Desai1

Hi,

 

I enabled File integrity monitoring in one of My Servers now there are some log files in the \Export folder but I dont understand what it contains. I am attaching one .xml file if someone

can please help me out how to understand this log.

Fullscreen 3000.2019-01-24_13-12_2_8_22_databatch.xml Download 
<?xml version="1.0"?>
<databatch type="sophos.fim.databatch" timestamp="2019-01-24T13:12:48Z" schemaVersion="1.0" xmlns="http://www.sophos.com/xml/msys/SophosFim.xsd">
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:56:52Z" isAlert="0" isCustom="0" eventCount="1" targetName="ServiceDllUnloadOnStop" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:56:53Z" isAlert="0" isCustom="0" eventCount="1" targetName="Guid" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="20" eventTypeName="DeleteRegistryValue" eventTime="2019-01-24T12:56:53Z" isAlert="0" isCustom="0" eventCount="1" targetName="Guid" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="14" eventTypeName="CreateRegistryKey" eventTime="2019-01-24T12:56:57Z" isAlert="0" isCustom="0" eventCount="1" targetName="AutoLogonChecked" targetParent="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" targetId="" processId="704" processCreateTime="2019-01-24T12:56:03Z" processImageFile="LogonUI.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:57:02Z" isAlert="0" isCustom="0" eventCount="1" targetName="NetworkPerformsHijacking" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\Probe\{6483c9e9-5e49-4bc0-96e0-4c19e66f97c3}\" targetId="" processId="1212" processCreateTime="2019-01-24T12:56:30Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-20" accountDomain="NT AUTHORITY" accountName="NETWORK SERVICE" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:57:02Z" isAlert="0" isCustom="0" eventCount="1" targetName="LastProbeTime" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\Probe\{6483c9e9-5e49-4bc0-96e0-4c19e66f97c3}\" targetId="" processId="1212" processCreateTime="2019-01-24T12:56:30Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-20" accountDomain="NT AUTHORITY" accountName="NETWORK SERVICE" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:57:02Z" isAlert="0" isCustom="0" eventCount="1" targetName="Epoch" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\" targetId="" processId="1364" processCreateTime="2019-01-24T12:56:31Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-19" accountDomain="NT AUTHORITY" accountName="LOCAL SERVICE" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T13:05:44Z" isAlert="0" isCustom="0" eventCount="15" targetName="Collection" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\Teredo\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
</databatch>

 



This thread was automatically locked due to age.
Unfiltered HTML