FileSure Technical Resources for MSPs
Welcome to the technical guide for implementing FileSure as part of your MSP offerings.
This resource outlines the tools, configurations, and workflows needed to deploy and manage FileSure effectively.
Implementation Flow
The following steps describe how to configure and deploy FileSure on client endpoints:
Step 1: Create a JSON Configuration File
-
-
Define your rules and alerts with shortcodes. Then add necessary overrides in a structured JSON file for alerts.
-
Example JSON:
Simple example:{ "Rules": [ "AUDITCOPIES", "AUDITFOLDERMOVES", "AUDITOFFICENOACCESS", "AUDITUSB" ], "Alerts": [ { "Id": "BULKCOPY", }, { "id": "FOLDERMOVES" }, { "id": "USBWRITES" }, { "id": "WEBACCESSED" }, ] }An example with alert overrides:{ "Rules": [ "AUDITCOPIES", "AUDITFOLDERMOVES", "AUDITOFFICENOACCESS", "AUDITUSB" ], "Alerts": [ { "Id": "BULKCOPY", "Body": "<%username%> has copied <%count%> files within <%AgeInMinutes%> minutes", "AgeInMinutes":500 }, { "id": "FOLDERMOVES" }, { "id": "USBWRITES" }, { "id": "WEBACCESSED", "SQL": "Select 1, * from AuditRecords where eventTime > OldestRecordAge and ((lower(exeName) = 'edge.exe' or lower(exeName) = 'firefox.exe' or lower(exeName) = 'chrome.exe') and deniedOp = 0)", "Body": "<%username%> accessed <%filename%> with <%exeName%>" } ] }When defining the 'Body', you can use 'Merge Fields' that are enclosed with '<%' and '%>' like: <%fileName%>. The variables you can use are the fields returned by the 'SQL' statement and a few default ones.
Here are the default ones:-
AGEINMINUTES - from the alert definition.
-
THRESHOLD - from the alert definition.
-
KEYNAME - from the alert definition.
-
QUERYNAME - from the alert definition.
-
QUERYSQL - from the alert definition.
-
COUNT - the first column from the SQL select.
-
-
Here are the AuditRecords fields (some fields are only populated for some operations)
| Column name | Type | Description |
|---|---|---|
| orderNo | Integer | Internal index |
| eventTime | Integer | Number of seconds since 1/1/1970 |
| fileName | Text | Full file or folder path |
| userName | Text | User in domain\username format |
| operationName | Text | Friendly name of file operation |
| majorFunction | Integer | File operation by number |
| readAccess | Integer | 1 for read access requested; only valid for open/creates operations (when MajorFunction is 0) |
| writeAccess | Integer | 1 for write access requested; only valid for open/creates operations (when MajorFunction is 0) |
| deleteAccess | Integer | 1 for delete access requested; only valid for open/creates operations (when MajorFunction is 0) |
| renameTo | Text | For rename operations, this is the path of the renamed to file. Only valid for rename operations (when MajorFunction is 6) |
| machineName | Text | Name of the computer on which the event was generated |
| deniedOp | Integer | 1 if the operation was denied |
| isDirectory | Integer | 1 if the file name is a folder |
| wasCreated | Integer | 1 if the file was created |
| exePath | Text | The full path of the executable that being used to access the file. If the access was remote this will be blank. |
| driveType | Integer | Type of drive where the file was located |
| extension | Text | The extension of the file |
| exeName | Text | The name of the executable (no path) |
| wasRedirected | Integer | 1 if the file operation was redirected |
| redirectedTo | Text | Path where the operation was redirected to |
| operationContext | Integer | 1 if operation was a move (when MajorFunction is 6) |
| alertID | Integer | Alert ID of the matching rule |
Step 2: Generate a Registry File
-
Use the
JsonToConfig.execommand-line tool to convert your JSON file into a registry (.reg) file.-
JsonToConfig Description: takes a configuration JSON file and builds a FileSure configuration and saves it to the output file
Example: JsonToConfig 4x4.json 4x4.reg -
JsonToConfig Description: takes a configuration JSON file, builds a FileSure configuration and outputs it to the screen
-
JsonToConfig [] -apply Description: takes a configuration JSON file, builds a FileSure configuration and applies it to the registry. Notes: requires Administrator access PathToOutputFile is optional
-
Step 3: Apply the Registry File
-
-
Deploy the registry file to the target endpoint using any RMM tool or manual installation.
-
Example:
regedit.exe /s rules.reg
-
Step 4: Reload Rules on the Endpoint
-
-
Use the
reloadrules.exetool to apply the new configuration immediately. -
Example:
reloadrules.exe
-
Step 5: Verify Deployment
-
-
Use the FileSure LogViewer or other provided tools to ensure rules and alerts are active.
-
Confirm alerts and logs are integrated into your RMM system.
-
Provided Tools
- Installed as part of the MSPBundle.exe
-
JsonToConfig.exe: Converts JSON configuration files to registry files for deployment.
-
- Installed as part of the FileSure endpoint agent (FileSureMSP.msi)
ApplyLic.exe: Command line tool to apply a license.-
ReloadRules.exe: Signals FileSure to reload its rules and apply any changes. -
LogViewer.exe: A graphical tool for viewing and analyzing logs generated by FileSure. -
RuleMonitor.exe: A graphical tool for monitoring, viewing and troubleshooting installed FileSure rules.
Integration with RMM Systems
FileSure logs all events (e.g., rule triggers, blocked actions) in the FileSure Audit log. Configured alerts run on every consolidation pass and if they pass the threshold, write to the Windows Event Log. Most RMM systems can:
-
Monitor Specific Event IDs: Set up notifications for critical events.
-
Automate Responses: Trigger scripts or alerts based on FileSure events.
-
Remote Investigation: Use LogViewer or similar tools to diagnose issues and refine rules.
Next Steps
-
Create your JSON configuration file.
-
Use the provided tools to deploy and test FileSure on client endpoints.
-
Monitor logs and adjust configurations as needed.
Get Started Today
- Take FileSure for a spin with our free 21-day trial.
- Install it on any RMM-monitored machine, simulate a file event,
- See real-time results through your event log.