Cortex XDR FIM

M.Rather — Fri, 24 Apr 2026 08:30:58 GMT

Hi Team

I am configuring File Integrity Monitoring (FIM) in Cortex XDR for Windows endpoints.

I have defined a monitoring rule for the directory:
C:\Windows\*

However, within this path, I need to exclude specific subfolders from being monitored (for example, system or application folders that generate excessive or irrelevant events).I am not seeing any option in rule to define exclusion!
In malware protection there we can add exception but under FIM there is no option.

TIA

Re: Cortex XDR FIM

susekar — Fri, 24 Apr 2026 17:52:34 GMT

Hello @M.Rather ,

Greeting for the day.

In Cortex XDR, the File Integrity Monitoring (FIM) module (introduced in Agent version 8.9) is configured via Extension Policies and does not currently feature a built-in "Exclusion" toggle within the FIM rule definition itself. Unlike Malware Protection profiles, which use Legacy Agent Exceptions to whitelist paths, FIM rules are intended to be high-priority and are specifically protected from standard EDR pipeline filtering to ensure compliance data is not dropped.

To achieve your requirement of "excluding" specific subfolders while monitoring a broad directory like C:\Windows\*, you should use the following strategies based on official guidance:

1. Use Granular Monitoring Rules
Instead of defining a single broad rule with a wildcard at the root of the Windows directory, create multiple specific rules for the subfolders you actually need to monitor. This prevents the agent from capturing noise in high-volume directories like Temp or application-specific folders.

Broad Rule (Avoid): C:\Windows\*
Granular Rules (Recommended): Define individual rules for critical paths such as:
- C:\Windows\System32\drivers\etc\*
- C:\Windows\System32\config\*

2. Configure Specific Events to Monitor
If you cannot avoid monitoring a folder that generates high volume, you can reduce noise by limiting the types of operations tracked. Within the rule configuration in the FIM profile, you can deselect “Monitor All Events” and choose only the most critical ones (for example, monitor only Delete and Rename instead of Modify).

3. Monitoring Constraints & Thresholds
Be aware of the following system limits when configuring Windows FIM rules:

Agent Version: Requires Cortex XDR Agent 8.9 or higher
Event Quota: There is a daily threshold of 15,000 FIM events per agent. If this limit is reached due to broad rules (like monitoring all of C:\Windows\*), the agent will generate an audit log and stop sending FIM telemetry for the remainder of the day
Path Requirements: Windows paths must start with a valid root (e.g., C:\ or *\) and cannot end in a bare slash unless followed by a wildcard or filename

4. Suppression of Alerts (Server-Side)
If the events are already reaching the console and you want to stop them from appearing as alerts, you can create an Alert Exclusion rule under:
Settings → Exception Configurations → Alert Exclusions

Note that this suppresses the alert in the console but does not stop the agent from generating the underlying telemetry or counting toward its 15,000-event daily threshold.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Cortex XDR FIM in Cortex XDR Discussions

Cortex XDR FIM

Re: Cortex XDR FIM