Updated on 2025-08-26 GMT+08:00

Viewing File Change Records

File integrity monitoring provides change statistics, change types, and file change records, helping you learn about file changes in real time and detect malicious changes in a timely manner.

Viewing File Change Overview

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. In the navigation pane, choose Server Protection > File Integrity Monitoring. Check the file change overview.

    You can select an enterprise project for filtering.

    Figure 1 File integrity monitoring page
    Table 1 File change overview parameters

    Parameter

    Description

    Overview

    Number of servers where files are changed.

    Changes

    • Total Changes: total number of file changes.
    • File Changes: total number of file changes.

    Action

    • Modify: total number of file changes.
    • Create: total number of file creations.
    • Delete: total number of file deletions.

Viewing the File Change Records of a Single Server

  1. In the server list, you can view the number of files and registry changes on a servers and the time when they were last changed.

    Figure 2 Server list

  2. Click a server name to go to the server change details page. You can view the file change details of the server.

    Figure 3 Viewing file change records on a server
    Table 2 Server file change parameters

    Parameter

    Description

    Example Value

    File Name

    Name of a modified file.

    du

    Path

    Path of a modified file.

    -

    Change Description

    Description of the change.

    To view the change details, hover the cursor over the change content.

    -

    Type

    File

    File

    Action

    How a file was modified.

    • Create
    • Modify
    • Delete

    Modify

    Last Modified

    The last time when a file was modified.

    -

Viewing the File Change Records of All Servers

In the modified file list, you can view all file change records. For details, see Table 2.
Figure 4 Checking modified files

Suggestions for Handling File Changes

The file changes of servers protected by HSS will be recorded and displayed on the File Integrity Monitoring page, helping you trace the behavior of attackers. If a file change is displayed on the File Integrity Monitoring page, check whether it is a normal event in a timely manner.

  • If the file change is an abnormal event, manually block the related process and isolate the file – on condition that these operations do not affect services.
  • If the file change is a normal event, ignore it or modify the file integrity monitoring scope. For details, see File Integrity in the File Protection policy in Configuring Policies.

A file change will also trigger a File/Directory changes alarm. You are advised to handle it too. The procedure is as follows:

  1. On the File Integrity Monitoring page, copy the name of the server where the file change was made.
  2. In the navigation pane, choose Detection & Response > Alarms.
  3. On the Server Alarms tab page, select the alarm whose Alarm Type is Abnormal System Behavior > File/Directory changes.
  4. In the search box on the right, paste and search for the server name to find its File/Directory changes alarm.
  5. Click the alarm name to view details. Check whether the file change is abnormal based on these details and the file change information on the File Integrity Monitoring page.
  6. Select a handling method at the bottom of the alarm details page.
    The change records on the File Integrity Monitoring page will be retained, no matter how you handle the alarm.
    1. Mark as handled: You have manually blocked related processes and isolated the modified files. The risk has been eliminated.
    2. Ignore: The file change has no impact and the alarm can be ignored.
    3. Add to whitelist: The file change is made by normal service operations. It needs to be whitelisted so that it will not trigger alarms.