Enable File Integrity Monitoring when using the Azure Monitor Agent
To provide File Integrity Monitoring (FIM), the Azure Monitor Agent (AMA) collects data from machines according to Data Collection Rules. When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.
File Integrity Monitoring with the Azure Monitor Agent offers:
- Compatibility with the unified monitoring agent - Compatible with the Azure Monitor Agent that enhances security, reliability, and facilitates multi-homing experience to store data.
- Compatibility with tracking tool- Compatible with the Change tracking (CT) extension deployed through the Azure Policy on the client's virtual machine. You can switch to Azure Monitor Agent (AMA), and then the CT extension pushes the software, files, and registry to AMA.
- Simplified onboarding- You can onboard FIM from Microsoft Defender for Cloud.
- Multi-homing experience – Provides standardization of management from one central workspace. You can transition from Log Analytics (LA) to AMA so that all VMs point to a single workspace for data collection and maintenance.
- Rules management – Uses Data Collection Rules to configure or customize various aspects of data collection. For example, you can change the frequency of file collection.
In this article you'll learn how to:
- Enable File Integrity Monitoring with AMA
- Edit the list of tracked files and registry keys
- Exclude machines from File Integrity Monitoring
|Pricing:||Requires Microsoft Defender for Servers Plan 2|
|Required roles and permissions:||Owner
Commercial clouds - Supported only in regions:
National (Azure Government, Azure China 21Vianet)
Azure Arc enabled devices.
Connected AWS accounts
Connected GCP accounts
To track changes to your files on machines with AMA:
Enable File Integrity Monitoring with AMA
To enable File Integrity Monitoring (FIM), use the FIM recommendation to select machines for file integrity monitoring:
From Defender for Cloud's sidebar, open the Recommendations page.
Select the recommendation File integrity monitoring should be enabled on machines. Learn more about Defender for Cloud recommendations.
Select the machines that you want to use File Integrity Monitoring on, select Fix, and select Fix X resources.
The recommendation fix:
- Installs the
ChangeTracking-Linuxextension on the machines.
- Generates a data collection rule (DCR) for the subscription, named
Microsoft-ChangeTracking-[subscriptionId]-default-dcr, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
- Creates a new Log Analytics workspace with the naming convention
defaultWorkspace-[subscriptionId]-fimand with the default workspace settings.
You can update the DCR and Log Analytics workspace settings later.
- Installs the
From Defender for Cloud's sidebar, go to Workload protections > File integrity monitoring, and select the banner to show the results for machines with Azure Monitor Agent.
The machines with File Integrity Monitoring enabled are shown.
You can see the number of changes that were made to the tracked files, and you can select View changes to see the changes made to the tracked files on that machine.
Edit the list of tracked files and registry keys
File Integrity Monitoring (FIM) for machines with Azure Monitor Agent uses Data Collection Rules (DCRs) to define the list of files and registry keys to track. Each subscription has a DCR for the machines in that subscription.
FIM creates DCRs with a default configuration of tracked files and registry keys. You can edit the DCRs to add, remove, or update the list of files and registries that are tracked by FIM.
To edit the list of tracked files and registries:
In File integrity monitoring, select Data collection rules.
You can see each of the rules that were created for the subscriptions that you have access to.
Select the DCR that you want to update for a subscription.
Each file in the list of Windows registry keys, Windows files, and Linux files contains a definition for a file or registry key, including name, path, and other options. You can also set Enabled to False to untrack the file or registry key without removing the definition.
Learn more about system file and registry key definitions.
Select a file, and then add or edit the file or registry key definition.
Select Add to save the changes.
Exclude machines from File Integrity Monitoring
Every machine in the subscription that is attached to the DCR is monitored. You can detach a machine from the DCR so that the files and registry keys aren't tracked.
To exclude a machine from File Integrity Monitoring:
- In the list of monitored machines in the FIM results, select the menu (...) for the machine
- Select Detach data collection rule.
The machine moves to the list of unmonitored machines, and file changes aren't tracked for that machine anymore.
Learn more about Defender for Cloud in: