FIM changes tracking via Anomaly detection module
17 views
Skip to first unread message
Megan
May 15, 2026, 1:50:28 PM (2 days ago) May 15
to Wazuh | Mailing List
Hi everyone,
Recently i was trying to track changes in fim with anomaly detection module in wazuh.
First i made custom rules that specifially trigger for directory paths i wanna monitor to focus on them.Then i added these rule ids a s data filters in the detection module.my main idea is to learn pattern in which these fim changes are occuring so that in case of a malware activity or app releae i am able to detect it with wazuh.
In features tab i added rule id with count() value to track changes based on count and used agent.name in categorial fields.My first question is even though it's able to detect which time anomaly occured or count how can i check the details like which path caused these changes or how much deviation caused the trigger.
even though i can do it by manual triage is there any way to automate it?i tried script and all but it doesn't seem to work.If there's any way to apply this case scenario kindly guide me
First i made custom rules that specifially trigger for directory paths i wanna monitor to focus on them.Then i added these rule ids a s data filters in the detection module.my main idea is to learn pattern in which these fim changes are occuring so that in case of a malware activity or app releae i am able to detect it with wazuh.
In features tab i added rule id with count() value to track changes based on count and used agent.name in categorial fields.My first question is even though it's able to detect which time anomaly occured or count how can i check the details like which path caused these changes or how much deviation caused the trigger.
even though i can do it by manual triage is there any way to automate it?i tried script and all but it doesn't seem to work.If there's any way to apply this case scenario kindly guide me
Olamilekan Abdullateef Ajani
May 15, 2026, 2:36:07 PM (2 days ago) May 15
to Wazuh | Mailing List
Hello Megan,
I am currently looking into reproducing this, I will revert with my findings.
Regards
Reply all
Reply to author
Forward
0 new messages