Viewing File Change Records

File integrity monitoring provides change statistics, change types, and file change records, helping you learn about file changes in real time and detect malicious changes in a timely manner.

Viewing File Change Overview

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.

In the navigation pane, choose Server Protection > File Integrity Monitoring. Check the file change overview.

You can select an enterprise project for filtering.

Figure 1 File integrity monitoring page
Click to enlarge

**Table 1** File change overview parameters
Parameter	Description
Overview	Number of servers where files are changed.
Changes	Total Changes: total number of file changes. File Changes: total number of file changes.
Action	Modify: total number of file changes. Create: total number of file creations. Delete: total number of file deletions.

Viewing the File Change Records of a Single Server

In the server list, you can view the number of files and registry changes on a servers and the time when they were last changed.

Figure 2 Server list

Click a server name to go to the server change details page. You can view the file change details of the server.

Figure 3 Viewing file change records on a server
Click to enlarge

**Table 2** Server file change parameters
Parameter	Description	Example Value
File Name	Name of a modified file.	du
Path	Path of a modified file.	-
Change Description	Description of the change. To view the change details, hover the cursor over the change content.	-
Type	File	File
Action	How a file was modified. Create Modify Delete	Modify
Last Modified	The last time when a file was modified.	-

Viewing the File Change Records of All Servers

In the modified file list, you can view all file change records. For details, see Table 2.

Figure 4 Checking modified files
Click to enlarge

Suggestions for Handling File Changes

The file changes of servers protected by HSS will be recorded and displayed on the File Integrity Monitoring page, helping you trace the behavior of attackers. If a file change is displayed on the File Integrity Monitoring page, check whether it is a normal event in a timely manner.

If the file change is an abnormal event, manually block the related process and isolate the file – on condition that these operations do not affect services.
If the file change is a normal event, ignore it or modify the file integrity monitoring scope. For details, see File Integrity in the File Protection policy in Configuring Policies.

A file change will also trigger a File/Directory changes alarm. You are advised to handle it too. The procedure is as follows:

On the File Integrity Monitoring page, copy the name of the server where the file change was made.
In the navigation pane, choose Detection & Response > Alarms.
On the Server Alarms tab page, select the alarm whose Alarm Type is Abnormal System Behavior > File/Directory changes.
In the search box on the right, paste and search for the server name to find its File/Directory changes alarm.
Click the alarm name to view details. Check whether the file change is abnormal based on these details and the file change information on the File Integrity Monitoring page.
Select a handling method at the bottom of the alarm details page.
The change records on the File Integrity Monitoring page will be retained, no matter how you handle the alarm.
1. Mark as handled: You have manually blocked related processes and isolated the modified files. The risk has been eliminated.
2. Ignore: The file change has no impact and the alarm can be ignored.
3. Add to whitelist: The file change is made by normal service operations. It needs to be whitelisted so that it will not trigger alarms.