File Integrity Monitoring using Microsoft Defender for Endpoint
To provide File Integrity Monitoring (FIM), Microsoft Defender for Endpoint collects data from machines according to collection rules. When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.
Using FIM you can:
- Monitor changes made to critical files and Windows registries from a predefined list in real-time.
- Access and analyze the audited changes in a designated Workspace.
- Take advantage of the 500-MB benefit included in the Defender for Servers Plan 2.
- Maintain compliance: FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others
FIM alerts you to any potentially suspicious activities. These activities include:
- The creation or deletion of files and registry keys
- Modifications to files, such as changes in the file's size, name, location, or the hash of its content
- Alterations to the registry, including changes in its size, type, and content
- Details about the change, including the source of the change. These include account details, which indicate who made the changes, and information about the initiating process.
For guidance on which files to monitor, see Which files should I monitor?.
Availability
| Aspect | Details |
|---|---|
| Release state: | Preview |
| Pricing: | Requires Microsoft Defender for Servers Plan 2 |
| Required roles and permissions: | Workspace owner or Security admin can enable and disable FIM. For more information, see Azure Roles for Log Analytics. Reader can view results. |
| Clouds: | 
Commercial clouds
Azure Arc enabled devices.
Connected AWS accounts
Connected GCP accounts |
Prerequisites
To track changes to your files and registries on machines with Defender for Endpoint, you need to:
Enable Defender for Servers Plan 2.
Enable Defender for Endpoint on machines you want to monitor
Enable File Integrity Monitoring
Enable in the Azure portal
To enable FIM in the Azure portal, follow these steps:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Select the relevant subscription.
Locate the Defenders for Servers plan and select Settings.
In the File Integrity Monitoring section, switch the toggle to On. Then select Edit configuration.
The FIM configuration pane opens. In the Workspace selection dropdown, select the workspace where you want to store the FIM data. If you want to create a new workspace, select Create new.
Important
Events collected for FIM powered by Defender for Endpoint are included in the data types eligible for the 500 MB benefit for Defender for Servers Plan 2 customers. For more information, see What data types are included in the daily allowance?.
In the lower section of the FIM configuration pane, select the Windows registry, Windows files, and Linux files tabs to choose the files and registries you want to monitor. If you choose the top selection in each tab, all files and registries are monitored. Select Apply to save your changes.
Select Continue.
Select Save.
Disable File Integrity Monitoring
After FIM is disabled, no new events are collected. However, the data collected before the disabling the feature remain in the workspace, according to the workspace's retention policy. For more information, see Manage data retention in a Log Analytics workspace.
Disable in the Azure portal
To disable FIM in the Azure portal, follow these steps:
Sign in to the Azure portal.
Search for and select Microsoft Defender for Cloud.
In the Defender for Cloud menu, select Environment settings.
Select the relevant subscription.
Locate the Defenders for Servers plan and select Settings.
In the File Integrity Monitoring section, switch the toggle to Off.
Select Apply.
Select Continue.
Select Save.
Monitor entities and files
To monitor entities and files, follow these steps:
Note
If you haven't enabled FIM yet, you'll see a message that says File Integrity Monitoring is not enabled. To enable FIM, select Onboard subscriptions and then follow the directions in Enable File Integrity Monitoring.
From Defender for Cloud's sidebar, go to Workload protections > File integrity monitoring.
A window opens with all resources that contain tracked changed files and registries.
If you select a resource, a window opens with a query showing the changes made to the tracked files and registries on that resource.
If you select the subscription of the resource (under the column Subscription name), a query opens with all the tracked files and registries in that subscription.
Note
If you previously used File Integrity Monitoring over MMA, you can return to that method by selecting Change to previous experience. This will be available until the FIM over MMA feature is deprecated. For information on the deprecation plan, see Prepare for retirement of the Log Analytics agent.
Retrieve and analyze FIM data
The file integrity monitoring data resides within the Azure Log Analytics workspace in the MDCFileIntegrityMonitoringEvents table. The table appears in the Log Analytics Workspace under the LogManagment table.
Set a time range to retrieve a summary of changes by resource. In the following example, we retrieve all changes in the last 14 days in the categories of registry and files:
MDCFileIntegrityMonitoringEvents | where TimeGenerated > ago(14d) | where MonitoredEntityType in ('Registry', 'File') | summarize count() by Computer, MonitoredEntityTypeTo view detailed information about registry changes:
Remove
Filesfrom thewhereclause.Replace the summarization line with an ordering clause:
MDCFileIntegrityMonitoringEvents | where TimeGenerated > ago(14d) | where MonitoredEntityType == 'Registry' | order by Computer, RegistryKeyThe reports can be exported to CSV for archival purposes and channeled to a Power BI report for further analysis.
Related content
Learn more about Defender for Cloud in:
- Setting security policies - Learn how to configure security policies for your Azure subscriptions and resource groups.
- Managing security recommendations - Learn how recommendations help you protect your Azure resources.
- Azure Security blog - Get the latest Azure security news and information.