Wazuh File Integrity Monitoring (FIM) is a critical security control layer. Its scope ranges from ransomware detection to insider threat analysis. Wazuh’s FIM module reports every change made to monitored files, including who made the change and which process triggered it.
🔍 Why FIM Matters
- Ransomware: Mass file encryption is detected early via FIM alerts
- Web shells: Malicious PHP/ASP files uploaded to servers trigger instant alerts
- Insider threats: Privileged users leave a traceable audit trail on critical files
- Compliance: PCI DSS and GDPR both require file change tracking
⚙️ Basic Configuration
<syscheck>
<frequency>43200</frequency>
<directories realtime="yes" report_changes="yes" check_all="yes">
/etc,/usr/bin,/usr/sbin
</directories>
<directories realtime="yes" report_changes="yes" whodata="yes">
/var/www/html
</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
</syscheck>👤 Whodata: Who Made the Change?
With whodata="yes", Wazuh records the user and process that modified the file. On Linux this works via the audit subsystem; on Windows via Event Log.
🚨 Ransomware Detection
A high volume of file changes in a short time is a ransomware indicator. Wazuh’s default rules report this as a level 12 alert. You can lower the threshold further with a custom rule — see our Custom Rule Writing Guide for details.
📚 Related Posts
💬 Questions about Wazuh FIM configuration? Drop your questions in the comments. You can also reach us via the Contact page.
Leave a Reply