Table of contents


The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.

The DirectorySet tag describes a set of Directories.

Tag attributes

The following table provides a list and descriptions of the XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
base Sets the base directory of the DirectorySet. Everything else in the tag is relative to this directory Yes N/A String values resolving to syntactically valid path (path is not required to exist). Note that UNC paths are allowed by Windows Agents, but require that the remote system allow access by the LocalSystem account of the agent computer. The agent is a Windows service and runs as LocalSystem, also known as NT AUTHORITY\SYSTEM. When accessing a network resource, the LocalSystem uses the computer's credentials, which is an account named DOMAIN\MACHINE$. The access token presented to the remote computer also contains the Administrators group for the computer, so remote shares must grant read privileges to either the agent computer's account, the agent computer's Administrators group, or Everyone.

If the base value is not syntactically valid, the FileSet cannot be processed. The rest of the configuration is evaluated.
onChange Whether or not the directories returned should be monitored in real time. No false true, false
followLinks Will this DirectorySet follow symbolic links. No false true, false

Entity set attributes

The following are the attributes of the Entity that may be monitored by Integrity Monitoring Rules:

  • Created: Timestamp when the directory was created.
  • LastModified: Timestamp when the directory was last modified.
  • LastAccessed: Timestamp when the directory was last accessed. On Windows this value does not get updated immediately, and recording of the last accessed timestamp can be disabled as a performance enhancement. See File Times for details. The other problem with this attribute is that the act of scanning a directory requires that the agent open the directory, which will change its last accessed timestamp.
  • Permissions: The directory's security descriptor (in SDDL format) on Windows or Posix-style ACLs on Unix systems that support ACLs, otherwise the Unix style rwxrwxrwx file permissions in numeric (octal) format.
  • Owner: User ID of the directory owner (commonly referred to as the UID on Unix).
  • Group: Group ID of the directory owner (commonly referred to as the GID on Unix).
  • Flags: Windows-only. Flags returned by the GetFileAttributes() Win32 API. Windows Explorer calls these the Attributes of the file: Read-only, Archived, Compressed, and so on.
  • SymLinkPath: If the directory is a symbolic link, the path of the link is stored here. On Windows, use the SysInternals junction utility to create the Windows equivalent of symbolic links.
  • InodeNumber (Unix and Linux only): Inode number of the disk on which the inode associated with the file is stored.
  • DeviceNumber (Unix and Linux only): Device number of the disk on which the inode associated with the directory is stored.

Shorthand attributes

The following are the shorthand attributes and the attributes to which they map:

  • Created
    • LastModified
    • Permissions
    • Owner
    • Group
    • Flags (Windows only)
    • SymLinkPath

Meaning of key

Key is a pattern to match against the path of the directory relative to the directory specified by dir. This is a hierarchical pattern, with sections of the pattern separated by / matched against sections of the path separated by the file separator of the given OS.


  • Include
  • Exclude

See Integrity monitoring rules language for a general description of Include and Exclude for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.