File Integrity Monitoring (FIM) - Learn about File Integrity Monitoring (FIM) capabilities in Cortex XDR. - Administrator Guide - Cortex XDR - Cortex

File Integrity Monitoring (FIM) - Learn about File Integrity Monitoring (FIM) capabilities in Cortex XDR. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Notice

File Integrity Monitoring usage requires a dedicated FIM add-on or the Cloud Runtime Security add-on, with XDR Pro capabilities enabled.

File Integrity Monitoring requires a Cortex XDR agent with version 8.9.0 and above. FIM capabilities can be enabled on the following platforms and environments. See Where can I install Cortex XDR agent for full platform options.

Platform	Available Implementation
Windows	Servers and workstations
Linux	User mode and Kernel mode
Kubernetes	Containerized environments

Configuration and implementation

FIM rules are used to define which files and folders should be monitored, and FIM rule groups are used to consolidate multiple FIM rules into a single entity.

Creating, modifying and viewing FIM rule groups and rules is be done in the Rule Groups page, located at the Inventory → Endpoints → File Integrity Monitoring menu.

First, a new rule group is created by choosing + New Group Add a new FIM rule group.

After defining the general settings of the group, set up FIM rules in the Rules section by selecting + Add rule with the following properties:

Description: a brief description of the rule and its purpose
Path: the path of the file or folder to be monitored. See the File and Folder path configuration section for more information.
Events To Monitor: type of events that should be monitored. Any will capture all events on the defined file path, Specific events allows the selection of specific event types as Delete, Create, Modify. When choosing Any, new types of events that may be added in the future will also be monitored.

Once created, a FIM rule group must be assigned to a specific File Integrity Monitoring extension profile. Apply File Integrity Monitoring profiles to your endpoint policies

Note

It is recommended to create a policy that targets only the necessary files and folders.

Add a new FIM rule group

Create a new FIM rule group, then set up FIM rules in the Rules section by selecting + Add rule

In Endpoints → File Integrity Monitoring → Rule groups, select +New Group.
Fill in the General Settings.
- Assign a profile Name
- Add a brief Description to describe the rule group and its purpose.
Select the Platform.
- For Linux, define the monitoring mode, Host or Containers
Note
Platform cannot be changed once a rule group has been created
For each rule add an optional description and the required path. Pay attention to the path restrictions and wildcard use shown below, File and Folder path configuration.
Specify the events to monitor.
- Any will capture all events on the defined file path. New types of events that may be added in the future will also be monitored.
- Specific events allows the selection of the event types, Delete, Create, Modify.

Note

A rule group can contain up to 100 rules.

Add a new FIM rule group profile

In Inventory → Endpoints → Policy management → Extensions → Profiles, select +Add Profile and then select either Create New or Import from File.
Select a Platform and click File Integrity Monitoring → Next.
Fill in the General Information.
Assign the profile Name and add an optional Description.
Select the Platform. For Linux, define the monitoring mode, Host or Containers
In FIM Rule Group Select +Manage Group.
Select the required FIM Rule Groups.
To save the FIM rule group definitions, click Create.
It is allowed to add up to ten rule groups to a profile.

Apply File Integrity Monitoring profiles to your endpoint policies

After you define the required File Integrity Monitoring profiles, configure policies with File Integrity Monitoring and enforce them on your endpoints. Cortex XDR applies File Integrity Monitoring policies on endpoints from beginning to end, as you’ve ordered them on the page. The first policy that matches the endpoint is applied. If no policies match, the default policy that enables all devices is applied.

In Inventory → Endpoints → Policy management → Extensions → Policy Rules, select + New Policy or Import from File.
Note
When importing a policy, select whether to enable the associated policy targets. Rules within the imported policy are managed as follows:
- New rules are added to the top of the list.
- Default rules override the default rule in the target tenant.
- Rules without a defined target are disabled until the target is specified.
Configure settings for the File Integrity Monitoring policy.
1. Assign a policy name and select the platform. You can add a description.
2. Assign the File Integrity Monitoring profile you want to use in this rule.
3. Click Next.
4. Select the target endpoints on which to enforce the policy.
  Use filters or manual endpoint selection to define the exact target endpoints of the policy rules. If exists, the Group Name is filtered according to the groups within your defined user scope.
5. Click Done.
Configure policy hierarchy.
Drag the policies in the desired order of execution. The default policy that enables all devices on all endpoints is always the last one on the page and is applied to endpoints that don’t match the criteria in the other policies.
Save the policy hierarchy.
After the policy is saved and applied to the agents, Cortex XDR enforces the File Integrity Monitoring policies on your environment.
(Optional) Manage your policy rules.
In the Prevention Policy Rules table, you can view and edit the policy you created and the policy hierarchy.
1. View your policy hierarchy.
2. Right-click to View Policy Details, Edit, Save as New, Disable, and Delete.
3. Select one or more policies, right-click and select Export Policies. You can choose to include the associated Policy Targets, Global Exceptions, and endpoint groups.

File and Folder path configuration

Platform	Path restrictions
Windows	Must start with a valid root (e.g., C:\ or \) Has at least one valid segment or wildcard (asterisk) after each slash Cannot end in a bare slash unless followed by a filename or wildcard (asterisk) Cannot contain invalid characters: < > : " \| ? % \ Cannot contain environment variables Example 77. C:\temp\app.log (monitor a specific file) C:\temp\folder\ (monitor a folder and its content, recursively) *\app.config (monitor all files with a specific name in the file system)
Linux	Must start with a valid root (/) Rules used to monitor folders must end with a forward slash (/) Wildcard (asterisk) is supported by regex, but only at the last element of the path (basename) Cannot contain invalid characters: < > : " \| ? % \ Cannot contain environment variables Does not end with asterisk * Example 78. /tmp/sample.log (monitor a specific file) /tmp/folder/ (monitor a folder and its content, non-recursively) /tmp/folder/.\.log (monitor all files with a specific suffix in a folder) /.\.py (monitor all files with a specific suffix)

Platform

Path restrictions

Windows

Must start with a valid root (e.g., C:\ or *\)
Has at least one valid segment or wildcard (asterisk) after each slash
Cannot end in a bare slash unless followed by a filename or wildcard (asterisk)
Cannot contain invalid characters: < > : " | ? % \
Cannot contain environment variables

Example 77.

C:\temp\app.log (monitor a specific file)
C:\temp\folder\* (monitor a folder and its content, recursively)
*\app.config (monitor all files with a specific name in the file system)

Linux

Must start with a valid root (/)
Rules used to monitor folders must end with a forward slash (/)
Wildcard (asterisk) is supported by regex, but only at the last element of the path (basename)
Cannot contain invalid characters: < > : " | ? % \
Cannot contain environment variables
Does not end with asterisk *

Example 78.

/tmp/sample.log (monitor a specific file)
/tmp/folder/ (monitor a folder and its content, non-recursively)
/tmp/folder/.*\.log (monitor all files with a specific suffix in a folder)
/.*\.py (monitor all files with a specific suffix)

View File Integrity Monitoring events

After you apply File Integrity Monitoring rules in your environment, use the Inventory → Endpoints → File Integrity Monitoring page to monitor events. The most recent events are displayed on the page. You can sort the results and use the filters menu to narrow down the results.

Use XQL to view all FIM events by querying the ‘xdr_dataset’ with the filter ‘fim_event = TRUE’.

Note

It is possible to ingest up to 15,000 events per day (24 hours) for each host/container.