# File Integrity Monitoring (FIM) Operations One-sentence definition: Detect unauthorized changes to critical system files and configurations. ## Key Facts - Monitor hashes/attributes for OS, config, and application files. - Baseline after patching; tune to reduce noise; tie alerts to tickets. - Use cryptographic verification; store baselines securely. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose FIM for compliance and tamper detection. **Mnemonic:** “**Baseline**, then **beware**.” ## Mini Scenario Q: Web shell added to app dir—what flags it? A: FIM change alert + EDR correlation. ## Revision Checklist - What to monitor. - Noise reduction step. - Evidence storage. ## Related [[Configuration Management and Drift Control]] · [[Endpoint EDR Detection Validation]] · [[Patch and Vulnerability Remediation Operations]] · [[Security Metrics for Testing Programs]] · [[Domain 7 - Index]]