04-24-2026 01:30 AM
Hi Team
I am configuring File Integrity Monitoring (FIM) in Cortex XDR for Windows endpoints.
I have defined a monitoring rule for the directory:C:\Windows\*
However, within this path, I need to exclude specific subfolders from being monitored (for example, system or application folders that generate excessive or irrelevant events).I am not seeing any option in rule to define exclusion!
In malware protection there we can add exception but under FIM there is no option.
TIA
04-24-2026 10:52 AM
Hello @M.Rather ,
Greeting for the day.
In Cortex XDR, the File Integrity Monitoring (FIM) module (introduced in Agent version 8.9) is configured via Extension Policies and does not currently feature a built-in "Exclusion" toggle within the FIM rule definition itself. Unlike Malware Protection profiles, which use Legacy Agent Exceptions to whitelist paths, FIM rules are intended to be high-priority and are specifically protected from standard EDR pipeline filtering to ensure compliance data is not dropped.
To achieve your requirement of "excluding" specific subfolders while monitoring a broad directory like C:\Windows\*, you should use the following strategies based on official guidance:
1. Use Granular Monitoring Rules
Instead of defining a single broad rule with a wildcard at the root of the Windows directory, create multiple specific rules for the subfolders you actually need to monitor. This prevents the agent from capturing noise in high-volume directories like Temp or application-specific folders.
C:\Windows\*C:\Windows\System32\drivers\etc\*C:\Windows\System32\config\*2. Configure Specific Events to Monitor
If you cannot avoid monitoring a folder that generates high volume, you can reduce noise by limiting the types of operations tracked. Within the rule configuration in the FIM profile, you can deselect “Monitor All Events” and choose only the most critical ones (for example, monitor only Delete and Rename instead of Modify).
3. Monitoring Constraints & Thresholds
Be aware of the following system limits when configuring Windows FIM rules:
C:\Windows\*), the agent will generate an audit log and stop sending FIM telemetry for the remainder of the dayC:\ or *\) and cannot end in a bare slash unless followed by a wildcard or filename4. Suppression of Alerts (Server-Side)
If the events are already reaching the console and you want to stop them from appearing as alerts, you can create an Alert Exclusion rule under:
Settings → Exception Configurations → Alert Exclusions
Note that this suppresses the alert in the console but does not stop the agent from generating the underlying telemetry or counting toward its 15,000-event daily threshold.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
