[Meta]File Integrity Monitoring | User Information

[jamiehynds]

Similar to Auditbeat's FIM module, our new FIM integration can monitor for file changes, but does not include the user information to capture who modified/accessed the file. This is a significant visibility gap for security analysts and a heavily requested enhancement request.

Research needs to be done to determine how we can capture user information within our FIM integration and any underlying changes required. Can the OS components we rely on today be leveraged or is an underlying change to how we gather FIM data needed?

Linux - https://github.com/elastic/integrations/issues/7401 Windows - #8312 MacOS -

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[narph]

split between 3 OS's