Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 3529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to understand the File Integrity Monitoring Log file ?

Kandarp Desai1

Hi,

 

I enabled File integrity monitoring in one of My Servers now there are some log files in the \Export folder but I dont understand what it contains. I am attaching one .xml file if someone

can please help me out how to understand this log.

Fullscreen 3000.2019-01-24_13-12_2_8_22_databatch.xml Download 
<?xml version="1.0"?>
<databatch type="sophos.fim.databatch" timestamp="2019-01-24T13:12:48Z" schemaVersion="1.0" xmlns="http://www.sophos.com/xml/msys/SophosFim.xsd">
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:56:52Z" isAlert="0" isCustom="0" eventCount="1" targetName="ServiceDllUnloadOnStop" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:56:53Z" isAlert="0" isCustom="0" eventCount="1" targetName="Guid" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="20" eventTypeName="DeleteRegistryValue" eventTime="2019-01-24T12:56:53Z" isAlert="0" isCustom="0" eventCount="1" targetName="Guid" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="14" eventTypeName="CreateRegistryKey" eventTime="2019-01-24T12:56:57Z" isAlert="0" isCustom="0" eventCount="1" targetName="AutoLogonChecked" targetParent="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" targetId="" processId="704" processCreateTime="2019-01-24T12:56:03Z" processImageFile="LogonUI.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:57:02Z" isAlert="0" isCustom="0" eventCount="1" targetName="NetworkPerformsHijacking" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\Probe\{6483c9e9-5e49-4bc0-96e0-4c19e66f97c3}\" targetId="" processId="1212" processCreateTime="2019-01-24T12:56:30Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-20" accountDomain="NT AUTHORITY" accountName="NETWORK SERVICE" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:57:02Z" isAlert="0" isCustom="0" eventCount="1" targetName="LastProbeTime" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\Probe\{6483c9e9-5e49-4bc0-96e0-4c19e66f97c3}\" targetId="" processId="1212" processCreateTime="2019-01-24T12:56:30Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-20" accountDomain="NT AUTHORITY" accountName="NETWORK SERVICE" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T12:57:02Z" isAlert="0" isCustom="0" eventCount="1" targetName="Epoch" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\" targetId="" processId="1364" processCreateTime="2019-01-24T12:56:31Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-19" accountDomain="NT AUTHORITY" accountName="LOCAL SERVICE" specificData="" />
	<item eventType="21" eventTypeName="SetRegistryValue" eventTime="2019-01-24T13:05:44Z" isAlert="0" isCustom="0" eventCount="15" targetName="Collection" targetParent="\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\Teredo\" targetId="" processId="964" processCreateTime="2019-01-24T12:56:08Z" processImageFile="svchost.exe" processImageFolder="C:\Windows\System32" accountSid="S-1-5-18" accountDomain="NT AUTHORITY" accountName="SYSTEM" specificData="" />
</databatch>

 



This thread was automatically locked due to age.
Parents Reply
  • +1 in reply to Kandarp Desai1

    Hi  

    Thank you for your kind response. This log is only to monitor FIMs activities and as observed in your specific instance, It displays what process from which location makes what changes (corresponding to respective event ID)to which location and what value is being changed under what User/Service Account name, Domain, and SID. Is there anything specific you are looking for?

Children
Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?