FileVantage File Integrity Monitoring

Falcon FileVantage provides real-time file integrity monitoring (FIM) for critical files and directories across Windows, Linux, and Mac systems. Track file changes, manage policies, rules, and respond to integrity violations.

Policy Management

Get-FalconFileVantagePolicy

Search for FileVantage policies.

Get-FalconFileVantagePolicy -Type Windows -Detailed

Parameters

string[]

FileVantage policy identifier(s)

Type

string

required

Operating system type: Linux, Mac, Windows

Sort

string

Limit

int

Maximum number of results per request (1-500)

Include

string[]

Include additional properties: exclusions

Offset

int

Position to begin retrieving results

Detailed

switch

Retrieve detailed information

All

switch

Repeat requests until all available results are retrieved

Total

switch

Display total result count instead of results

New-FalconFileVantagePolicy

Create FileVantage policies.

New-FalconFileVantagePolicy -Name "Windows Critical Files" -Platform Windows -Description "Monitor critical system files"

Parameters

Name

string

required

Policy name (1-100 characters)

Platform

string

Operating system platform: Linux, Mac, Windows

Description

string

Policy description (0-500 characters)

Edit-FalconFileVantagePolicy

Modify FileVantage policies.

Edit-FalconFileVantagePolicy -Id <policy_id> -Enabled $true

Parameters

string

required

FileVantage policy identifier

Name

string

Policy name (1-100 characters)

Enabled

boolean

Policy enablement status

Description

string

Policy description (0-500 characters)

Rule Group Management

Get-FalconFileVantageRuleGroup

Search for FileVantage rule groups.

Get-FalconFileVantageRuleGroup -Type WindowsFiles -Detailed

Parameters

string[]

FileVantage rule group identifier(s)

Type

string

required

Rule group type: LinuxFiles, MacFiles, WindowsFiles, WindowsRegistry

Sort

string

Property and direction to sort results

Limit

int

Maximum number of results per request (1-500)

New-FalconFileVantageRuleGroup

Create FileVantage rule groups.

New-FalconFileVantageRuleGroup -Type WindowsFiles -Name "System Configuration" -Description "Monitor system config files"

Parameters

Type

string

required

Rule group type: LinuxFiles, MacFiles, WindowsFiles, WindowsRegistry

Name

string

required

Rule group name (1-100 characters)

Description

string

Rule group description (0-500 characters)

Edit-FalconFileVantageRuleGroup

Modify FileVantage rule groups.

Edit-FalconFileVantageRuleGroup -Id <rulegroup_id> -Name "Updated Name"

Rule Management

Get-FalconFileVantageRule

List FileVantage rules within a rule group.

Get-FalconFileVantageRule -RuleGroupId <rulegroup_id> -Id <rule_id>

Parameters

RuleGroupId

string

required

FileVantage rule group identifier

string[]

required

FileVantage rule identifier(s)

New-FalconFileVantageRule

Create a rule within a FileVantage rule group.

New-FalconFileVantageRule -RuleGroupId <rulegroup_id> -Precedence 1 -Path "C:\Windows\System32\config" -Severity High -FileWrite $true -FileDelete $true

Parameters

RuleGroupId

string

required

FileVantage rule group identifier

Precedence

int32

required

Precedence for the new rule inside the rule group

Path

string

required

Path of the directory, file, or registry key to monitor (1-250 characters)

Depth

string

Monitoring depth: 1, 2, 3, 4, 5, ANY

Severity

string

Rule severity: Low, Medium, High, Critical

Description

string

Rule description (0-500 characters)

Include

string

Files/directories to monitor (glob patterns, comma-separated)

Exclude

string

Files/directories to exclude (glob patterns, comma-separated)

FileWrite

boolean

Track file write events

FileDelete

boolean

Track file delete events

FilePermission

boolean

Track file permission change events

FileRename

boolean

Track file rename events

DirectoryCreate

boolean

Track directory create events

DirectoryDelete

boolean

Track directory delete events

EnableContentCapture

boolean

Enable the capture of file content during events

HashCapture

boolean

Track file hash

Edit-FalconFileVantageRule

Modify a rule within a FileVantage rule group.

Edit-FalconFileVantageRule -Id <rule_id> -RuleGroupId <rulegroup_id> -Precedence 1 -Severity Critical

Change Monitoring

Get-FalconFileVantageChange

Search for Falcon FileVantage changes.

Get-FalconFileVantageChange -Filter "action_timestamp:>'2024-01-01'" -Detailed

Parameters

string[]

FileVantage change identifier(s)

Filter

string

Falcon Query Language expression to limit results

Sort

string

Property and direction to sort resultsOptions: action_timestamp|asc, action_timestamp|desc, ingestion_timestamp|asc, ingestion_timestamp|desc

Limit

int32

Maximum number of results per request (1-5000)

After

string

Pagination token to retrieve the next set of results

Detailed

switch

Retrieve detailed information

All

switch

Repeat requests until all available results are retrieved

Get-FalconFileVantageContent

Retrieve content recorded in a Falcon FileVantage change.

Get-FalconFileVantageContent -Id <change_id>

Parameters

string

required

FileVantage change identifier

Invoke-FalconFileVantageAction

Perform actions on Falcon FileVantage changes.

Invoke-FalconFileVantageAction -Name suppress -Id <change_id> -Comment "False positive"

Parameters

Name

string

required

Action to perform: suppress, unsuppress, purge

Comment

string

Audit log comment

string[]

FileVantage change identifier(s)

Use Cases

Monitor Critical System Files

# Create policy for Windows system files
$Policy = New-FalconFileVantagePolicy -Name "Critical System Files" -Platform Windows

# Create rule group
$RuleGroup = New-FalconFileVantageRuleGroup -Type WindowsFiles -Name "System32 Monitoring"

# Add rule to monitor System32
$Rule = New-FalconFileVantageRule -RuleGroupId $RuleGroup.id -Precedence 1 `
    -Path "C:\Windows\System32" -Depth 2 -Severity Critical `
    -FileWrite $true -FileDelete $true -FilePermission $true

# Assign rule group to policy
Add-FalconFileVantageRuleGroup -PolicyId $Policy.id -Id $RuleGroup.id

# Assign policy to host groups
Add-FalconFileVantageHostGroup -PolicyId $Policy.id -Id <hostgroup_id>

Review Recent File Changes

# Get changes from the last 24 hours
$Yesterday = (Get-Date).AddDays(-1).ToString('yyyy-MM-ddTHH:mm:ssZ')
$Changes = Get-FalconFileVantageChange -Filter "action_timestamp:>'$Yesterday'" -Detailed -All

# Group by severity
$Changes | Group-Object -Property severity | Select-Object Name, Count

# Review high severity changes
$Changes | Where-Object { $_.severity -eq 'High' } | Select-Object action_timestamp, path, change_type

Investigate Suspicious Changes

# Find changes to specific file
$Changes = Get-FalconFileVantageChange -Filter "path:'*\\config\\*'" -Detailed

# Get content for specific change
$Content = Get-FalconFileVantageContent -Id $Changes[0].id

# Suppress false positives
Invoke-FalconFileVantageAction -Name suppress -Id $FalsePositiveIds -Comment "Approved maintenance"

Requires Falcon FileVantage: Read scope for read operations and Falcon FileVantage: Write scope for modifications. Content retrieval requires Falcon FileVantage Content: Read scope.

Overview

Authentication

Alerts & Detections

Host Management

Real-time Response

Threat Intelligence

Policy Management

Cloud Security

Identity & Access

Security Operations

Monitoring & Analysis

Utilities

​Policy Management

​Get-FalconFileVantagePolicy

​Parameters

​New-FalconFileVantagePolicy

​Parameters

​Edit-FalconFileVantagePolicy

​Parameters

​Rule Group Management

​Get-FalconFileVantageRuleGroup

​Parameters

​New-FalconFileVantageRuleGroup

​Parameters

​Edit-FalconFileVantageRuleGroup

​Rule Management

​Get-FalconFileVantageRule

​Parameters

​New-FalconFileVantageRule

​Parameters

​Edit-FalconFileVantageRule

​Change Monitoring

​Get-FalconFileVantageChange

​Parameters

​Get-FalconFileVantageContent

​Parameters

​Invoke-FalconFileVantageAction

​Parameters

​Use Cases

​Monitor Critical System Files

​Review Recent File Changes

​Investigate Suspicious Changes

​Related Resources

Build docs developers (and LLMs) love

Policy Management

Get-FalconFileVantagePolicy

Parameters

New-FalconFileVantagePolicy

Parameters

Edit-FalconFileVantagePolicy

Parameters

Rule Group Management

Get-FalconFileVantageRuleGroup

Parameters

New-FalconFileVantageRuleGroup

Parameters

Edit-FalconFileVantageRuleGroup

Rule Management

Get-FalconFileVantageRule

Parameters

New-FalconFileVantageRule

Parameters

Edit-FalconFileVantageRule

Change Monitoring

Get-FalconFileVantageChange

Parameters

Get-FalconFileVantageContent

Parameters

Invoke-FalconFileVantageAction

Parameters

Use Cases

Monitor Critical System Files

Review Recent File Changes

Investigate Suspicious Changes

Related Resources