Enable File Integrity Monitoring when using the Azure Monitor Agent

To provide File Integrity Monitoring (FIM), the Azure Monitor Agent (AMA) collects data from machines according to Data Collection Rules. When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.

FIM uses the Azure Change Tracking solution to track and identify changes in your environment. When File Integrity Monitoring is enabled, you have a Change Tracking resource of type Solution. Learn about data collection for Change Tracking.

File Integrity Monitoring with the Azure Monitor Agent offers:

  • Compatibility with the unified monitoring agent - Compatible with the Azure Monitor Agent that enhances security, reliability, and facilitates multi-homing experience to store data.
  • Compatibility with tracking tool- Compatible with the Change tracking (CT) extension deployed through the Azure Policy on the client's virtual machine. You can switch to Azure Monitor Agent (AMA), and then the CT extension pushes the software, files, and registry to AMA.
  • Simplified onboarding- You can onboard FIM from Microsoft Defender for Cloud.
  • Multi-homing experience – Provides standardization of management from one central workspace. You can transition from Log Analytics (LA) to AMA so that all VMs point to a single workspace for data collection and maintenance.
  • Rules management – Uses Data Collection Rules to configure or customize various aspects of data collection. For example, you can change the frequency of file collection.

Note

If you remove the Change Tracking resource, you will also disable the File Integrity Monitoring in Defender for Cloud.

Availability

Aspect Details
Release state: Preview
Pricing: Requires Microsoft Defender for Servers Plan 2
Required roles and permissions: Owner
Contributor
Clouds: Commercial clouds - Supported only in regions: australiaeast, australiasoutheast, canadacentral, centralindia, centralus, eastasia, eastus2euap, eastus, eastus2, francecentral, japaneast, koreacentral, northcentralus, northeurope, southcentralus, southeastasia, switzerlandnorth, uksouth, westcentralus, westeurope, westus, westus2
National (Azure Government, Azure China 21Vianet)
Azure Arc enabled devices.
Connected AWS accounts
Connected GCP accounts

Prerequisites

To track changes to your files on machines with AMA:

Enable File Integrity Monitoring with AMA

To enable File Integrity Monitoring (FIM):

  1. Use the FIM recommendation to select machines for file integrity monitoring:

    1. From Defender for Cloud's sidebar, open the Recommendations page.
    2. Select the recommendation File integrity monitoring should be enabled on machines. Learn more about Defender for Cloud recommendations.
    3. Select the machines that you want to use File Integrity Monitoring on, select Fix, and select Fix X resources.

    The recommendation fix:

    • Installs the ChangeTracking-Windows or ChangeTracking-Linux extension on the machines.
    • Generates a data collection rule (DCR) for the subscription, named Microsoft-ChangeTracking-[subscriptionId]-default-dcr, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
    • Creates a new Log Analytics workspace with the naming convention defaultWorkspace-[subscriptionId]-fim and with the default workspace settings.

    You can update the DCR and Log Analytics workspace settings later.

  2. From Defender for Cloud's sidebar, go to Workload protections > File integrity monitoring, and select the banner to show the results for machines with Azure Monitor Agent.

    Screenshot of banner in File integrity monitoring to show the results for machines with Azure Monitor Agent.

  3. The machines with File Integrity Monitoring enabled are shown.

    Screenshot of File integrity monitoring results for machines with Azure Monitor Agent.

    You can see the number of changes that were made to the tracked files, and you can select View changes to see the changes made to the tracked files on that machine.

Edit the list of tracked files and registry keys

File Integrity Monitoring (FIM) for machines with Azure Monitor Agent uses Data Collection Rules (DCRs) to define the list of files and registry keys to track. Each subscription has a DCR for the machines in that subscription.

FIM creates DCRs with a default configuration of tracked files and registry keys. You can edit the DCRs to add, remove, or update the list of files and registries that are tracked by FIM.

To edit the list of tracked files and registries:

  1. In File integrity monitoring, select Data collection rules.

    You can see each of the rules that were created for the subscriptions that you have access to.

  2. Select the DCR that you want to update for a subscription.

    Each file in the list of Windows registry keys, Windows files, and Linux files contains a definition for a file or registry key, including name, path, and other options. You can also set Enabled to False to untrack the file or registry key without removing the definition.

    Learn more about system file and registry key definitions.

  3. Select a file, and then add or edit the file or registry key definition.

  4. Select Add to save the changes.

Exclude machines from File Integrity Monitoring

Every machine in the subscription that is attached to the DCR is monitored. You can detach a machine from the DCR so that the files and registry keys aren't tracked.

To exclude a machine from File Integrity Monitoring:

  • In the list of monitored machines in the FIM results, select the menu (...) for the machine and select Detach data collection rule.

Screenshot of the option to detach a machine from a data collection rule and exclude the machines from File Integrity Monitoring.

The machine moves to the list of unmonitored machines, and file changes aren't tracked for that machine anymore.

Next steps

Learn more about Defender for Cloud in: