Supported Honeycomb FIM event types logged by QRadar

The Honeycomb FIM DSM for IBM QRadar can collect events from several event categories.

Each event category contains low-level events that describe the action that is taken within the event category. For example, file rename events might have a low-level category of either file rename successful or file rename failed.

The following list defines the event categories that are collected by QRadar for Honeycomb file integrity events:

  • Baseline events
  • Open file events
  • Create file events
  • Rename file events
  • Modify file events
  • Delete file events
  • Move file events
  • File attribute change events
  • File ownership change events

QRadar can also collect Windows and other log files that are forwarded from Honeycomb Lexicon. However, any event that is not a file integrity event might require special processing by a custom log source type or a log source extension in QRadar.