File integrity monitoring in Microsoft Defender for Cloud
Learn how to configure file integrity monitoring (FIM) in Microsoft Defender for Cloud using this walkthrough.
Availability
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) |
| Pricing: | Requires Microsoft Defender for Servers Plan 2. Using the Log Analytics agent, FIM uploads data to the Log Analytics workspace. Data charges apply, based on the amount of data you upload. See Log Analytics pricing to learn more. |
| Required roles and permissions: | Workspace owner can enable/disable FIM (for more information, see Azure Roles for Log Analytics). Reader can view results. |
| Clouds: | 
Commercial clouds
National (Azure Government, Azure China 21Vianet)Supported only in regions where Azure Automation's change tracking solution is available.
Azure Arc enabled devices.See Supported regions for linked Log Analytics workspace. Learn more about change tracking.
Connected AWS accounts |
What is FIM in Defender for Cloud?
File integrity monitoring (FIM), also known as change monitoring, examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack.
Defender for Cloud recommends entities to monitor with FIM, and you can also define your own FIM policies or entities to monitor. FIM informs you about suspicious activity such as:
- File and registry key creation or removal
- File modifications (changes in file size, access control lists, and hash of the content)
- Registry modifications (changes in size, access control lists, type, and the content)
In this tutorial you'll learn how to:
- Review the list of suggested entities to monitor with FIM
- Define your own, custom FIM rules
- Audit changes to your monitored entities
- Use wildcards to simplify tracking across directories
How does FIM work?
The Log Analytics agent uploads data to the Log Analytics workspace. By comparing the current state of these items with the state during the previous scan, FIM notifies you if suspicious modifications have been made.
FIM uses the Azure Change Tracking solution to track and identify changes in your environment. When file integrity monitoring is enabled, you have a Change Tracking resource of type Solution. For data collection frequency details, see Change Tracking data collection details.
Note
If you remove the Change Tracking resource, you will also disable the file integrity monitoring feature in Defender for Cloud.
Which files should I monitor?
When choosing which files to monitor, consider the files that are critical for your system and applications. Monitor files that you don’t expect to change without planning. If you choose files that are frequently changed by applications or operating system (such as log files and text files) it'll create a lot of noise, making it difficult to identify an attack.
Defender for Cloud provides the following list of recommended items to monitor based on known attack patterns.
| Linux files | Windows files | Windows registry keys (HKLM = HKEY_LOCAL_MACHINE) |
|---|---|---|
| /bin/login | C:\autoexec.bat | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{C689AAB8-8E78-11D0-8C47-00C04FC295EE} |
| /bin/passwd | C:\boot.ini | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{603BCC1F-4B59-4E08-B724-D2C6297EF351} |
| /etc/*.conf | C:\config.sys | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\SYSTEM.ini\boot |
| /usr/bin | C:\Windows\system.ini | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |
| /usr/sbin | C:\Windows\win.ini | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| /bin | C:\Windows\regedit.exe | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| /sbin | C:\Windows\System32\userinit.exe | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| /boot | C:\Windows\explorer.exe | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| /usr/local/bin | C:\Program Files\Microsoft Security Client\msseces.exe | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
| /usr/local/sbin | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx | |
| /opt/bin | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | |
| /opt/sbin | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce | |
| /etc/crontab | HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{C689AAB8-8E78-11D0-8C47-00C04FC295EE} | |
| /etc/init.d | HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg{603BCC1F-4B59-4E08-B724-D2C6297EF351} | |
| /etc/cron.hourly | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot | |
| /etc/cron.daily | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows | |
| /etc/cron.weekly | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon | |
| /etc/cron.monthly | HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | |
| HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | ||
| HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | ||
| HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | ||
| HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx | ||
| HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices | ||
| HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce | ||
| HKLM\SYSTEM\CurrentControlSet\Control\hivelist | ||
| HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs | ||
| HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile | ||
| HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | ||
| HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile |
Enable file integrity monitoring
FIM is only available from Defender for Cloud's pages in the Azure portal. There is currently no REST API for working with FIM.
From the Workload protections dashboard's Advanced protection area, select File integrity monitoring.
The File integrity monitoring configuration page opens.
The following information is provided for each workspace:
- Total number of changes that occurred in the last week (you may see a dash "-“ if FIM is not enabled on the workspace)
- Total number of computers and VMs reporting to the workspace
- Geographic location of the workspace
- Azure subscription that the workspace is under
Use this page to:
Access and view the status and settings of each workspace
Upgrade the workspace to use enhanced security features. This icon Indicates that the workspace or subscription isn't protected with Microsoft Defender for Servers. To use the FIM features, your subscription must be protected with this plan. For more information, see Microsoft Defender for Cloud's enhanced security features.
Enable FIM on all machines under the workspace and configure the FIM options. This icon indicates that FIM is not enabled for the workspace.
Tip
If there's no enable or upgrade button, and the space is blank, it means that FIM is already enabled on the workspace.
Select ENABLE. The details of the workspace including the number of Windows and Linux machines under the workspace is shown.
The recommended settings for Windows and Linux are also listed. Expand Windows files, Registry, and Linux files to see the full list of recommended items.
Clear the checkboxes for any recommended entities you do not want to be monitored by FIM.
Select Apply file integrity monitoring to enable FIM.
Note
You can change the settings at any time. See Edit monitored entities below to learn more.
Audit monitored workspaces
The File integrity monitoring dashboard displays for workspaces where FIM is enabled. The FIM dashboard opens after you enable FIM on a workspace or when you select a workspace in the file integrity monitoring window that already has FIM enabled.
The FIM dashboard for a workspace displays the following details:
- Total number of machines connected to the workspace
- Total number of changes that occurred during the selected time period
- A breakdown of change type (files, registry)
- A breakdown of change category (modified, added, removed)
Select Filter at the top of the dashboard to change the time period for which changes are shown.
The Servers tab lists the machines reporting to this workspace. For each machine, the dashboard lists:
- Total changes that occurred during the selected period of time
- A breakdown of total changes as file changes or registry changes
When you select a machine, the query appears along with the results that identify the changes made during the selected time period for the machine. You can expand a change for more information.
The Changes tab (shown below) lists all changes for the workspace during the selected time period. For each entity that was changed, the dashboard lists the:
- Machine that the change occurred on
- Type of change (registry or file)
- Category of change (modified, added, removed)
- Date and time of change
Change details opens when you enter a change in the search field or select an entity listed under the Changes tab.
Edit monitored entities
From the File integrity monitoring dashboard for a workspace, select Settings from the toolbar.
Workspace Configuration opens with tabs for each type of element that can be monitored:
- Windows registry
- Windows files
- Linux Files
- File content
- Windows services
Each tab lists the entities that you can edit in that category. For each entity listed, Defender for Cloud identifies whether FIM is enabled (true) or not enabled (false). Edit the entity to enable or disable FIM.
Select an entry from one of the tabs and edit any of the available fields in the Edit for Change Tracking pane. Options include:
- Enable (True) or disable (False) file integrity monitoring
- Provide or change the entity name
- Provide or change the value or path
- Delete the entity
Discard or save your changes.
Add a new entity to monitor
From the File integrity monitoring dashboard for a workspace, select Settings from the toolbar.
The Workspace Configuration opens.
One the Workspace Configuration:
Select the tab for the type of entity that you want to add: Windows registry, Windows files, Linux Files, file content, or Windows services.
Select Add.
In this example, we selected Linux Files.
Select Add. Add for Change Tracking opens.
Enter the necessary information and select Save.
Folder and path monitoring using wildcards
Use wildcards to simplify tracking across directories. The following rules apply when you configure folder monitoring using wildcards:
- Wildcards are required for tracking multiple files.
- Wildcards can only be used in the last segment of a path, such as C:\folder\file or /etc/*.conf
- If an environment variable includes a path that is not valid, validation will succeed but the path will fail when inventory runs.
- When setting the path, avoid general paths such as c:*.* which will result in too many folders being traversed.
Disable FIM
You can disable FIM. FIM uses the Azure Change Tracking solution to track and identify changes in your environment. By disabling FIM, you remove the Change Tracking solution from selected workspace.
To disable FIM:
From the File integrity monitoring dashboard for a workspace, select Disable.
Select Remove.
Next steps
In this article, you learned to use file integrity monitoring (FIM) in Defender for Cloud. To learn more about Defender for Cloud, see the following pages:
- Setting security policies -- Learn how to configure security policies for your Azure subscriptions and resource groups.
- Managing security recommendations -- Learn how recommendations help you protect your Azure resources.
- Azure Security blog--Get the latest Azure security news and information.
Povratne informacije
Pošalјite i prikažite povratne informacije za