Previously the File Integrity Monitoring (FIM) feature in Defender for Server P2 was based on the MMA and/or Azure Monitor Agent. Since the MMA agent is almost retired/ EOL, Microsoft decided to switch to a new technique and release the FileIntegrityMonitoring feature based on the Defender for Endpoint agent. This means there is no requirement for AMA deployments, based on using one single agent.
The FIM experience over the MMA experience will remain supported until the end of November 2024. The feature is currently in public preview. Good to know that the FIM experience over AMA will no longer be available in the Defender for Cloud portal.
Blog from the previous experience based on AMA: Configure File Integrity Monitoring (FIM) using Defender for Cloud and AMA-agent
Introduction File Integrity Monitoring
File Integrity Monitoring (FIM) is a security process that monitors and analyzes the integrity of critical assets and locations. Changes in critical structures can indicate signs of tampering or corruption, which can be used as an indication of a cyberattack.
FIM monitors all file modifications that are located on databases, servers, applications, network devices, directory servers, and cloud environments. And delivers information about how, why, when, and more detailed information related to the activity.
FIM is not only useful during cyberattacks. Some changes made by administrators or employees can enable risk to the organizations. With the use of FIM, it is possible to identify vulnerabilities and fix them before they can be exploited.
File Integrity Monitoring (FIM) helps you to monitor the Windows registry and files of operating systems such as Windows and Linux application software and all the changes that might indicate a cyberattack/ misconfiguration.
In short; the most useful use cases;
- Meet compliance requirements by monitoring critical files
- Identify potential security issues by detecting suspicious file changes
Personally, the latest item to identify potential security issues by detecting changes in files is really interesting and enables lots of use cases, with this it is possible to monitor important files linked to applications/ servers or databases. When changed, it will directly report the change and notify. Examples:
- Monitor deletion of registry files
- Monitor deletion of files in Windows/ Linux
- Monitor changes in files/ Windows registry
Prerequisites
For configuring auto provisioning via Defender for Cloud the following prerequisites are important:
- Enable Defender for Servers Plan 2
- Defender for Endpoint must be enabled and up-to-date
- Specific requirements for Defender for Endpoint are not documented, it is recommended to use one of the latest recent product releases to be sure MDE is running with the latest features
Storage cost
Storage of events is not in the Microsoft Defender dataset, it is located in the connected Log Analytics workspace, and billed via the Log Analytics cost. With the use of the unified SecOps platform, it is possible to combine Sentinel and Microsoft Defender and use both data in the queries.
The file integrity monitoring data resides within the Azure Log Analytics workspace in the MDCFileIntegrityMonitoringEvents table.
File Integrity Monitoring in Defender for Cloud
Microsoft Defender for Servers is one of the plans provided by Microsoft Defender for Cloud and provides FIM. Defender for Servers Plan 2 is needed. This includes the FIM feature and the advantage of the 500MB benefit of log data ingestion.
Defender for Servers provides two plans:
- Defender for Servers Plan 1
- Defender for Servers Plan 2
Plan 1 supports integration with Defender for Endpoint Plan 2, Threat Vulnerability management with MDE, and enables automatic onboarding. For the additional enhanced security features, Plan 2 is needed. (FIM)
Feature/Capability | Defender for Servers Plan 1 ($ 5) | Defender for Servers Plan 2 ($ 15) |
---|---|---|
Microsoft Defender for Endpoint P2 | ✅ | ✅ |
Microsoft threat and vulnerability management | ✅ | ✅ |
Automatic agent onboarding, alert, and data integration | ✅ | ✅ |
Just-in-time VM access for management ports | ❌ | ✅ |
Network layer threat detection | ❌ | ✅ |
Adaptive application controls | ❌ | ✅ |
File Integrity monitoring | ❌ | ✅ |
Adaptive network hardening | ❌ | ✅ |
Network map | ❌ | ✅ |
Agentless scanning | ❌ | ✅ |
Free 500MB Log Analytics data ingestion | ❌ | ✅ |
See the full comparison list: Select a Defender for Servers plan – Microsoft Defender for Cloud | Microsoft Learn
Enable Defender for Servers Plan 2
File Integrity Monitoring (FIM) is part of Defender for Servers Plan 2. Enablement of Defender for Servers is possible directly in Defender for Cloud.
- Sign in to the Azure portal
- Search for Microsoft Defender for Cloud
- In Defender for Cloud, select Environment settings
- Open the subscription
- Enable Defender for Servers in the Defender plans setting view
When enabling Defender for Servers make sure Plan 2 is enabled. When Plan 2 is not visible in the pricing select Change Plan and select Defender for Servers Plan 2. Defender for Servers will be activated for all supported resources in the subscription.
Defender for Servers can be enabled via Azure Policy or Code. There are ways to allow specific plans and include/ exclude machines. The above way via the environment settings is subscription-wide and will enforce all machines in the particular subscription. When Plan 2 is enabled, all resources in the subscription will be billed against the P2 plan.
Enable FIM integration and configure
After the plan is enabled, the File Integrity Monitoring feature on the specific subscription must be enabled. For this go to Settings & Monitoring and enable File Integrity Monitoring. Switch the toggle to On.
Configuration
Now we can edit the configuration and define the workspace. The events will be stored in the Log Analytics workspace. Select the workspace for the events.
During my lab configured the Sentinel workspace connected to the unified SecOps platform in Defender XDR. This gives the benefit of leveraging the FIM data in Advanced Hunting and cross-hunt with other ingested tables (MDE events) and identity data. One important point; when selecting a Log Analytics workspace connected with Sentinel the cost will increase, since LAW with Sentinel enabled is more expensive in comparison with a single LAW workspace. All personally; seeing some benefits with the use of Defender XDR and hunting. When using Sentinel; keep in mind to fine-tune the rules, to avoid way too many events generated by FIM.
Events can be configured in the same FIM configuration view. For now, it seems not possible to scope configurations to single machines, and FIM is subscription-wide for all machines in the subscription where the Defender for Servers P2 plan is enabled.
Microsoft recommends tracking the following items via FIM. The recommendations are by default part of the configuration. In the above configuration view, it is possible to unselect items.
Linux Files | Windows files | Windows registry keys (HKLM = HKEY_LOCAL_MACHINE) |
---|---|---|
/bin | C:\config.sys | SOFTWARE\Microsoft\Cryptography\OID* |
/bin/passwd | C:\Windows\regedit.exe | SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID* |
/boot | C:\Windows\System32\userinit.exe | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |
/etc/*.conf | C:\Windows\explorer.exe | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
/etc/cron.daily | C:\autoexec.bat | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
/etc/cron.hourly | C:\boot.ini | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
/etc/cron.monthly | C:\Windows\system.ini | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
/etc/cron.weekly | C:\Windows\win.ini | SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce |
/etc/crontab | SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\ | |
/etc/init.d | SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders | |
/opt/sbin | SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders | |
/sbin | SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | |
/usr/bin | SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | |
/usr/local/bin | SECURITY\POLICY\SECRETS | |
/usr/local/sbin | ||
/usr/sbin | ||
/bin/login | ||
/opt/bin |
Custom files
It seems currently not possible to add custom file paths and registry items. The FIM via MDE feature is based on the list recommended above. There is no way to add custom paths, hopefully, soon, Microsoft add support for adding custom files and custom registry items.
Reporting
Now we have to do some registry and file changes so FIM can detect them and show them to the dashboard. For example, add a new registry value. Use one of the above paths and add a couple of registry keys in one of the registry locations.
Another good example is installing software since most software is writing files and registry keys in the monitored locations.
FIM has detected the changes shows it is the reporting section, and writes the events directory to the linked Log Analytics workspace.
To monitor entities and files, follow these steps: Open Defender for Cloud – go to Workload protections -> File integrity monitoring. This is the section needed for File Integrity Monitoring.
In the next window, all information is visible related to the changes. The main page lists all machines that are currently monitored with the FIM configuration. All of the changes are collected via the MDE sensor.
When opening the resource, the detailed information is visible; including all changes for the specific machine in KQL on the Log Analytics workspace via the following query:
MDCFileIntegrityMonitoringEvents
| where AzureResourceId contains "8ffec0d0-48ab-4938-ac28-303339e3aa51"
| where Computer contains "c-avm-srv2022-3"
| where MonitoredEntityType in("File", "Registry")
| order by TimeGenerated
All data is visible in the Log Analytics workspace, including ChangeType, RegistryKey, RegistryHive, and the Old and new value names.
To view all data received in the last 14 days summarized by the computer name use the below query:
MDCFileIntegrityMonitoringEvents
| where TimeGenerated > ago(14d)
| where MonitoredEntityType in ('Registry', 'File')
| summarize count() by Computer, MonitoredEntityType
Filtered by registry key and computer:
MDCFileIntegrityMonitoringEvents
| where TimeGenerated > ago(14d)
| where MonitoredEntityType == 'Registry'
| order by Computer, RegistryKey
All data is visible in the MDCFileIntegrityMonitoringEvents table. When using the unified SecOps portal, the data can be visible/ available directly in Defender XDR;
Conclusion
Good to see Microsoft removed the complexity of additional agents and used the Defender for Endpoint component to leverage FIM functionalities via the sensor.
File Integrity Monitoring, is about keeping track of change from an established baseline and alerting you to any unexpected change that may result in a security risk or a compromise in compliance.
Hopefully, Microsoft will add in the future the possibility to track custom locations and add configurations for single machines, now it is subscription-wide across all machines. All the use of one single agent makes it way way more easier to use and deploy.
Some usecases for FIM;
- Detecting the early stage of a complex cyberattack (changing important files)
- Identifying weaknesses in IT infrastructure ( Changes by IT/ Admin) which result in exploits
- Compliance reasons (HIPAA, GDPR, ISO 17799 PCI DSS, and many more)
Sources
Microsoft: Track changes to system files and registry keys – Microsoft Defender for Cloud | Microsoft Learn
Hello, what a good article. I just have the need to implement FIM but only for specific servers, not for an entire resource group, not for an entire subscription. In your article you mention that there are ways to include or exclude specific plans and add specific machines. Do you have any documentation on how to do that? Thank you.