संपादित करें

इसके माध्यम से साझा किया गया


File Integrity Monitoring using Microsoft Defender for Endpoint

To provide File Integrity Monitoring (FIM), Microsoft Defender for Endpoint collects data from machines according to collection rules. When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.

Using FIM you can:

  • Monitor changes made to critical files and Windows registries from a predefined list in real-time.
  • Access and analyze the audited changes in a designated Workspace.
  • Take advantage of the 500-MB benefit included in the Defender for Servers Plan 2.
  • Maintain compliance: FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others

FIM alerts you to any potentially suspicious activities. These activities include:

  • The creation or deletion of files and registry keys
  • Modifications to files, such as changes in the file's size, name, location, or the hash of its content
  • Alterations to the registry, including changes in its size, type, and content
  • Details about the change, including the source of the change. These include account details, which indicate who made the changes, and information about the initiating process.

For guidance on which files to monitor, see Which files should I monitor?.

Availability

Aspect Details
Release state: Preview
Pricing: Requires Microsoft Defender for Servers Plan 2
Required roles and permissions: Workspace owner or Security admin can enable and disable FIM. For more information, see Azure Roles for Log Analytics.
Reader can view results.
Clouds: Commercial clouds
Azure Arc enabled devices.
Connected AWS accounts
Connected GCP accounts

Prerequisites

To track changes to your files and registries on machines with Defender for Endpoint, you need to:

Enable File Integrity Monitoring

Enable in the Azure portal

To enable FIM in the Azure portal, follow these steps:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Environment settings.

  4. Select the relevant subscription.

  5. Locate the Defenders for Servers plan and select Settings.

  6. In the File Integrity Monitoring section, switch the toggle to On. Then select Edit configuration.

    Screenshot of how to enable File Integrity Monitoring.

  7. The FIM configuration pane opens. In the Workspace selection dropdown, select the workspace where you want to store the FIM data. If you want to create a new workspace, select Create new.

    Screenshot of the FIM configuration pane.

    Important

    Events collected for FIM powered by Defender for Endpoint are included in the data types eligible for the 500 MB benefit for Defender for Servers Plan 2 customers. For more information, see What data types are included in the daily allowance?.

  8. In the lower section of the FIM configuration pane, select the Windows registry, Windows files, and Linux files tabs to choose the files and registries you want to monitor. If you choose the top selection in each tab, all files and registries are monitored. Select Apply to save your changes.

    Screenshot of the FIM configuration tabs.

  9. Select Continue.

  10. Select Save.

Disable File Integrity Monitoring

After FIM is disabled, no new events are collected. However, the data collected before the disabling the feature remain in the workspace, according to the workspace's retention policy. For more information, see Manage data retention in a Log Analytics workspace.

Disable in the Azure portal

To disable FIM in the Azure portal, follow these steps:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. In the Defender for Cloud menu, select Environment settings.

  4. Select the relevant subscription.

  5. Locate the Defenders for Servers plan and select Settings.

  6. In the File Integrity Monitoring section, switch the toggle to Off.

    Screenshot of how to disable File Integrity Monitoring.

  7. Select Apply.

  8. Select Continue.

  9. Select Save.

Monitor entities and files

To monitor entities and files, follow these steps:

Note

If you haven't enabled FIM yet, you'll see a message that says File Integrity Monitoring is not enabled. To enable FIM, select Onboard subscriptions and then follow the directions in Enable File Integrity Monitoring.

  1. From Defender for Cloud's sidebar, go to Workload protections > File integrity monitoring.

    Screenshot of how to access File Integrity Monitoring in Workload protections.

  2. A window opens with all resources that contain tracked changed files and registries.

    Screenshot of the File Integrity Monitoring results.

  3. If you select a resource, a window opens with a query showing the changes made to the tracked files and registries on that resource.

    Screenshot of the File Integrity Monitoring query.

  4. If you select the subscription of the resource (under the column Subscription name), a query opens with all the tracked files and registries in that subscription.

Note

If you previously used File Integrity Monitoring over MMA, you can return to that method by selecting Change to previous experience. This will be available until the FIM over MMA feature is deprecated. For information on the deprecation plan, see Prepare for retirement of the Log Analytics agent.

Retrieve and analyze FIM data

The file integrity monitoring data resides within the Azure Log Analytics workspace in the MDCFileIntegrityMonitoringEvents table. The table appears in the Log Analytics Workspace under the LogManagment table.

  1. Set a time range to retrieve a summary of changes by resource. In the following example, we retrieve all changes in the last 14 days in the categories of registry and files:

    MDCFileIntegrityMonitoringEvents  
    | where TimeGenerated > ago(14d)
    | where MonitoredEntityType in ('Registry', 'File')
    | summarize count() by Computer, MonitoredEntityType
    
  2. To view detailed information about registry changes:

    1. Remove Files from the where clause.

    2. Replace the summarization line with an ordering clause:

    MDCFileIntegrityMonitoringEvents 
    | where TimeGenerated > ago(14d)
    | where MonitoredEntityType == 'Registry'
    | order by Computer, RegistryKey
    
  3. The reports can be exported to CSV for archival purposes and channeled to a Power BI report for further analysis.

Learn more about Defender for Cloud in: