Azure File Integrity Monitoring for Enhanced System Assurance

Azure File Integrity Monitoring is a crucial tool for ensuring the security and integrity of your Azure files. It helps you detect and prevent unauthorized changes to your files.

By monitoring file integrity, you can identify potential security threats and take action to prevent data breaches. This is especially important for organizations that handle sensitive data.

Azure File Integrity Monitoring works by tracking changes to your files and alerting you to any suspicious activity. This helps you stay on top of security threats and prevent data loss.

Azure File Integrity Monitoring can be used to monitor files in Azure Storage, Azure Files, and Azure Data Lake Storage. This provides a comprehensive view of your file system and helps you identify potential security risks.

To enable Azure File Integrity Monitoring (FIM), you'll need to sign in to the Azure portal. Search for and select Microsoft Defender for Cloud. In the Defender for Cloud menu, select Environment settings and then locate the Defenders for Servers plan and select Settings.

You can enable FIM in the Azure portal by following these steps:

Alternatively, you can enable FIM integration and configure it by going to Settings & Monitoring and enabling File Integrity Monitoring, switching the toggle to On.

If you're using the Log Analytics agent, you can enable FIM from the Workload protections dashboard's Advanced protection area. Select File integrity monitoring and then select ENABLE. The details of the workspace, including the number of Windows and Linux machines, will be shown.

Note that FIM is only available from Defender for Cloud's pages in the Azure portal, and there's currently no REST API for working with FIM.

To disable File Integrity Monitoring (FIM) in Azure, you can follow these steps.

You can disable FIM in the Azure portal by signing in and searching for Microsoft Defender for Cloud. From there, select Environment settings and then the relevant subscription.

To disable FIM, you'll need to locate the Defenders for Servers plan and select Settings. In the File Integrity Monitoring section, switch the toggle to Off and then select Apply, Continue, and Save.

Alternatively, you can also disable FIM from the File Integrity Monitoring dashboard for a workspace. Simply select Disable and then Remove.

Here are the steps to disable FIM from the dashboard:

By disabling FIM, you'll remove the Change Tracking solution from the selected workspace, which is used to track and identify changes in your environment.

To configure File Integrity Monitoring (FIM), you need to enable it on your subscription. This involves going to Settings & Monitoring, where you'll find the toggle to enable File Integrity Monitoring. Switch the toggle to On.

You can add a FIM setup by clicking the add icon or finding a default file or directory from the list. To add a setup from the add icon, you'll need to select a file type, enter the base directory path, and specify the pattern of files to monitor. You can also add a description and scope your assets.

To duplicate an existing FIM setup, click the duplicate icon for the file path or directory you want to copy. Make the necessary changes to the file naming or pattern, description, and asset scoping, and then click SAVE.

Steps to Add a FIM Setup:

Steps to Duplicate a FIM Setup:

To edit monitored entities, start by navigating to the File Integrity Monitoring dashboard for your workspace and selecting Settings from the toolbar. This will open the Workspace Configuration with tabs for each type of element that can be monitored.

Each tab lists the entities that you can edit in that category, and Defender for Cloud identifies whether FIM is enabled (true) or not enabled (false). To edit an entity, simply select it and make any necessary changes in the Edit for Change Tracking pane.

Options include discarding or saving your changes. If you're editing an entity that's already being monitored, you'll need to ensure that Monitor is still selected to enable monitoring for that file or directory.

You might be wondering why you should even bother configuring File Integrity Monitoring (FIM) in the first place. The truth is, FIM is a crucial security practice that helps protect your valuable data and systems from unauthorized access and modification.

Organizations implement FIM to secure active directory and system files, which is a major concern. File Integrity Monitoring is a must-have for data security, especially against zero-day attacks that can catch you off guard.

By regularly scanning and comparing the current state of files against their known, trusted baseline, FIM tools can quickly identify any unauthorized changes. This is a game-changer for security teams who need to stay on top of potential threats.

FIM can be implemented using various techniques, such as checksums, digital signatures, or behavior-based analysis. This flexibility makes it easier to find a solution that fits your needs.

Organizations of all sizes should consider implementing FIM solutions to meet regulatory compliance standards. By doing so, you can demonstrate adherence to regulatory requirements like PCI DSS and HIPAA.

Reporting is a crucial aspect of Azure File Integrity Monitoring, allowing you to track and analyze changes to files and registries on your resources. To view all data received in the last 14 days summarized by the computer name, use the following query: MDCFileIntegrityMonitoringEvents | where TimeGenerated > ago(14d) | summarize count() by Computer.

The File Integrity Monitoring dashboard displays for workspaces where FIM is enabled, showing the total number of machines connected to the workspace, total number of changes that occurred during the selected time period, and a breakdown of change type and category. You can also filter the time period for which changes are shown.

To view detailed information about registry changes, use the following query: MDCFileIntegrityMonitoringEvents | where TimeGenerated > ago(14d) | where MonitoredEntityType == 'Registry' | order by Computer, RegistryKey. This query will provide a detailed list of registry changes made during the specified time period.

The data collected via the MDE sensor is stored in the Log Analytics workspace, specifically in the MDCFileIntegrityMonitoringEvents table. This data can be used to create reports, such as a summary of changes by resource, or to analyze specific types of changes, like registry changes.

Here are some examples of queries you can use to retrieve and analyze FIM data:

These queries can be used to create reports, analyze data, and gain insights into the changes made to your resources.

To enable File Integrity Monitoring (FIM) in Azure, you'll need to switch the toggle to On in the File Integrity Monitoring section of the Defender for Cloud menu.

You can add a FIM setup by clicking the add icon or finding the default file or directory from the list for which you want to monitor. To add a FIM setup from the add icon, select a file type, enter the base directory path, and enter the pattern of the files you want to monitor.

Here are the steps to duplicate an existing FIM setup: click View, and then click the duplicate icon for the file path or directory you want to copy. Make the necessary changes to the File Naming or Pattern field, and ensure Monitor is selected to enable monitoring for this file or directory.

To enable FIM in the Azure portal, you'll need to select the relevant subscription, locate the Defenders for Servers plan, and switch the toggle to On in the File Integrity Monitoring section.

To enable FIM integration, you need to go to Settings & Monitoring and switch the toggle to On. This is the first step in setting up File Integrity Monitoring.

You can enable FIM integration in the Azure portal by following these steps: sign in to the Azure portal, search for and select Microsoft Defender for Cloud, select Environment settings, and then select the relevant subscription.

Once you've enabled FIM integration, you can configure the settings to suit your needs. You can select the files and registries you want to monitor, and choose the workspace where you want to store the FIM data.

To enable FIM in the Azure portal, you'll need to follow these steps:

Remember to select the recommended settings for Windows and Linux, and clear the checkboxes for any recommended entities you don't want to be monitored by FIM.

CimTrak helps SIEMs do their job better by receiving system, application, and file change data directly from the file integrity monitoring tool itself. This allows the SIEM to combine critical change information with other data streams, enabling enhanced event analysis and correlation.

Learning about security events more quickly is a key benefit of SIEM integration with CimTrak. By combining data streams, SIEMs can provide better context surrounding those events.

Alerts raised by a SIEM can be traced back to CimTrak, which can provide all of the forensic data (who, what, when, how) for the event. This allows for quick and simple root-cause analysis.

Azure File Integrity Monitoring is a security process that monitors and analyzes the integrity of critical assets and locations. It's a powerful tool that can help identify potential security issues by detecting suspicious file changes.

File Integrity Monitoring (FIM) is not just useful during cyberattacks, but also helps identify vulnerabilities and fix them before they can be exploited. This is especially important when changes made by administrators or employees can enable risk to the organizations.

FIM monitors all file modifications, including those on databases, servers, applications, network devices, directory servers, and cloud environments. It delivers detailed information about how, why, when, and more related to the activity.

Here are some of the most useful use cases for FIM:

By monitoring important files linked to applications, servers, or databases, FIM can directly report changes and notify you. This is especially useful for monitoring deletion of registry files, deletion of files in Windows or Linux, and changes in files or Windows registry.

System Assurance is a critical aspect of Azure File Integrity Monitoring (FIM). It ensures that your system remains secure and up-to-date by establishing a trusted baseline of allowed changes.

With System Integrity Assurance, you get true real-time change detection and response, which means you'll know immediately if something unexpected happens. This proactive approach helps you stay ahead of potential threats.

The integrated ticketing capabilities of System Integrity Assurance allow you to classify changes and focus on the most critical ones, maximizing your security efforts. This saves you time and reduces the risk of overlooking important changes.

The Trusted File Registry service is a game-changer, automatically reconciling known vendor updates and patches. This results in significant time savings, allowing you to focus on other important tasks.

Here are the key benefits of System Integrity Assurance: