Back to Tech Center

Monitoring File Changes with Falcon FileVantage

December 22, 2021

Tech Center
CrowdStrike Tech Center


Due to compliance regulations, many organizations have a need to monitor key assets for changes made to certain files, folders or registry settings. File Integrity Monitoring (FIM) can be a daunting deployment that requires yet another solution in the security stack. As a cloud delivered platform, CrowdStrike leverages a single light-weight agent to address a number of security challenges including FIM.


Falcon FileVantage

CrowdStrike’s FileVantage module helps organizations meet compliance requirements by comprehensively monitoring file, folder, and registry modifications while also simplifying the security stack. Through the easy to use Falcon interface, FileVantage provides visibility to changes on critical assets that are also prioritized based on the configured severity level. Intuitive dashboards like this help organizations quickly identify and address issues based on severity, category and change type.

filevantage dashboard

Custom Policies and Assignment

The dashboard is populated based on flexible policies and rules. The rule groups themselves are defined in two categories with one focused on files and directories, while the other looks at registry changes.

filevantage rule groups

Within a given rule group, rules can be added, edited, sorted and deleted.

filevantage rule groups

Rules can be created to monitor specific changes along with customization options to prioritize events and reduce alert fatigue. As an example, this rule monitors for any type of change to the Demo directory and identifies those as low severity. However, it excludes any changes to log files. The checkbox options can be used to tune the rule to specific directory and file actions. 

filevantage rule options

Once the rule groups are set up, they can be added to a policy. Those policies are then assigned to designated host groups. With granular, group based assignment, organizations can ensure that the correct file integrity policies are in place for different servers and workloads based on their critical nature and function. 

filevantage policy setup

Managing Changes

Once the policies are defined and applied to host groups, any associated changes will be reported via the same, consolidated Falcon UI. Drilling down on the dashboard provides the supporting details which are also available from the menu under “Changes”. This list of file changes can be filtered using the options at the top. 

filevantage changes

By changing the filters to focus on changes to a specific host and user, the list reveals events related to the custom rule shown above for the demo directory. For each change, there are details including hostname, object and path. 

filevantage changes

Organizations can also leverage Falcon Fusion workflows to set up automated responses to these events. Those responses can include containment, enrichment, and Real Time Response actions as well as notifications like webhooks, ServiceNow incidents and messages via email, Teams or slack. Workflows can be configured as automatic or manual as shown below.

filevantage workflows


Falcon FileVantage is a robust file integrity monitoring solution that offers the streamlined, central visibility that organizations need to satisfy compliance requirements. Security Operations teams can not only identify and prioritize any changes to critical files folders and registries, but they can also leverage automated responses and notifications based on the nature of those changes.

More resources

Related Content