Compare baselines using File Integrity Monitoring (FIM)
Note
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. Learn more about the recent renaming of Microsoft security services.
File Integrity Monitoring (FIM) informs you when changes occur to sensitive areas in your resources, so you can investigate and address unauthorized activity. FIM monitors Windows files, Windows registries, and Linux files.
This topic explains how to enable FIM on the files and registries. For more information about FIM, see File Integrity Monitoring in Microsoft Defender for Cloud.
Why use FIM?
Operating system, applications, and associated configurations control the behavior and security state of your resources. Therefore, attackers target the files that control your resources, in order to overtake a resource's operating system and/or execute activities without being detected.
In fact, many regulatory compliance standards such as PCI-DSS & ISO 17799 require implementing FIM controls.
Enable built-in recursive registry checks
The FIM registry hive defaults provide a convenient way to monitor recursive changes within common security areas. For example, an adversary may configure a script to execute in LOCAL_SYSTEM context by configuring an execution at startup or shutdown. To monitor changes of this type, enable the built-in check.

Note
Recursive checks apply only to recommended security hives and not to custom registry paths.
Add a custom registry check
FIM baselines start by identifying characteristics of a known-good state for the operating system and supporting application. For this example, we will focus on the password policy configurations for Windows Server 2008 and higher.
| Policy Name | Registry Setting |
|---|---|
| Domain controller: Refuse machine account password changes | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RefusePasswordChange |
| Domain member: Digitally encrypt or sign secure channel data (always) | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RequireSignOrSeal |
| Domain member: Digitally encrypt secure channel data (when possible) | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\SealSecureChannel |
| Domain member: Digitally sign secure channel data (when possible) | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\SignSecureChannel |
| Domain member: Disable machine account password changes | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\DisablePasswordChange |
| Domain member: Maximum machine account password age | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\MaximumPasswordAge |
| Domain member: Require strong (Windows 2000 or later) session key | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RequireStrongKey |
| Network security: Restrict NTLM: NTLM authentication in this domain | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\RestrictNTLMInDomain |
| Network security: Restrict NTLM: Add server exceptions in this domain | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\DCAllowedNTLMServers |
| Network security: Restrict NTLM: Audit NTLM authentication in this domain | MACHINE\System\CurrentControlSet\Services \Netlogon\Parameters\AuditNTLMInDomain |
Note
To learn more about registry settings supported by various operating system versions, refer to the Group Policy Settings reference spreadsheet.
To configure FIM to monitor registry baselines:
In the Add Windows Registry for Change Tracking window, in the Windows Registry Key text box, enter the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Track changes to Windows files
In the Add Windows File for Change Tracking window, in the Enter path text box, enter the folder which contains the files that you want to track. In the example in the following figure, Contoso Web App resides in the D:\ drive within the ContosWebApp folder structure.
Create a custom Windows file entry by providing a name of the setting class, enabling recursion, and specifying the top folder with a wildcard (*) suffix.
Retrieve change data
File Integrity Monitoring data resides within the Azure Log Analytics / ConfigurationChange table set.
Set a time range to retrieve a summary of changes by resource. In the following example, we are retrieving all changes in the last fourteen days in the categories of registry and files:
ConfigurationChange
| where TimeGenerated > ago(14d)
| where ConfigChangeType in ('Registry', 'Files')
| summarize count() by Computer, ConfigChangeType
To view details of the registry changes:
- Remove Files from the where clause,
- Remove the summarization line and replace it with an ordering clause:
ConfigurationChange
| where TimeGenerated > ago(14d)
| where ConfigChangeType in ('Registry')
| order by Computer, RegistryKey
Reports can be exported to CSV for archival and/or channeled to a Power BI report.
