Defender for Cloud FIM is not logging configuration changes for Azure Arc servers

Jonny Kantor 1 Reputation point
2023-01-10T16:59:07.887+00:00

I have several ARC servers (installed on AWS EC2 vms) that have FIM deployed via quick fix for a security recommendation made by Defender for Cloud. The servers are running the Azure Monitoring Agent, there is a Data Collection Rule in place that targets a Log Analytics workspace in the same region. The Log analytics workspace has both the Security and Change Tracking solutions. When checking heartbeat or usage in the Logs for these machines, I can see that changetracking is sending heartbeat

FIM is not sending configuration changes for the files or registry keys specified by default, or added by me for testing. There are no logs in the ConfigurationChange table for the Log analytics workspace mentioned above (or at all as far as I can tell).

I'm not certain what else to check here, documentation is very sparse on this issue (apparently the only requirements being Defender for Servers 2 (which we have) and the Azure Monitor Agent being installed on the target servers (which it is)

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,463 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,866 Reputation points Microsoft Employee
    2023-01-10T18:29:33.827+00:00

    I recommend reviewing the following instructions. Verify that the extension and DCR rule is setup and scoped correctly. Also note that this data is stored in a new workspace. I recommend requesting a support case through your Microsoft contacts or Services Hub if the problem persists.

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-enable-ama


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.