Table of contents


The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.

The DirectorySet tag describes a set of Directories.

Tag Attributes

These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
base Sets the base directory of the DirectorySet. Everything else in the tag is relative to this directory Yes N/A String values resolving to syntactically valid path (Path is not required to exist) Note: UNC paths are allowed by Windows Agents, but require that the remote system allow access by the "LocalSystem" account of the Agent computer. The Agent is a Windows service and runs as LocalSystem, aka NT AUTHORITY\SYSTEM. When accessing a network resource, the LocalSystem uses the computer's credentials, which is an account named DOMAIN\MACHINE$. The access token presented to the remote computer also contains the "Administrators" group for the computer, so remote shares must grant read privileges to either the Agent computer's account, the Agent computer's Administrators group, or "Everyone".

If the base value is not syntactically valid, the FileSet will not be processed. The rest of the config will be evaluated.
onChange Whether the directories returned should be monitored in real time. No false true, false
followLinks Will this DirectorySet follow symbolic links. No false true, false

Entity Set Attributes

These are the attributes of the Entity that may be monitored by Integrity Monitoring Rules.

  • Created: Timestamp when the directory was created
  • LastModified: Timestamp when the directory was last modified
  • LastAccessed: Timestamp when the directory was last accessed. On Windows this value does not get updated immediately, and recording of the last accessed timestamp can be disabled as a performance enhancement. See File Times for details. The other problem with this attribute is that the act of scanning a directory requires that the Agent open the directory, which will change its last accessed timestamp.
  • Permissions: The directory's security descriptor (in SDDL format) on Windows or Posix-style ACLs on Unix systems that support ACLs, otherwise the Unix style rwxrwxrwx file permissions in numeric (octal) format.
  • Owner: User ID of the directory owner (commonly referred to as the "UID" on Unix)
  • Group: Group ID of the directory owner (commonly referred to as the "GID" on Unix)
  • Flags: Windows-only. Flags returned by the GetFileAttributes() Win32 API. Windows Explorer calls these the "Attributes" of the file: Read-only, Archived, Compressed, etc.
  • SymLinkPath: If the directory is a symbolic link, the path of the link is stored here. On Windows, use the SysInternals "junction" utility to create the Windows equivalent of symbolic links.
  • InodeNumber (Unix and Linux only): Inode number of the disk on which the inode associated with the file is stored
  • DeviceNumber (Unix and Linux only): Device number of the disk on which the inode associated with the directory is stored

Short Hand Attributes

The following are the Short Hand Attributes, and the attributes to which they map.

  • Created
    • LastModified
    • Permissions
    • Owner
    • Group
    • Flags (Windows only)
    • SymLinkPath

Meaning of "Key"

Key is a pattern to match against the path of the directory relative to the directory specified by "dir". This is a hierarchical pattern, with sections of the pattern separated by "/" matched against sections of the path separated by the file separator of the given OS.

Sub Elements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of Include and Exclude for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.