انتقل إلى المحتوى الرئيسي

Enable File Integrity Monitoring

Implementation Effort: Medium
Security and IT teams must ensure Defender for Servers Plan 2 is enabled, validate agent versions, and configure monitoring settings per environment.

User Impact: Low
File integrity monitoring is managed by administrators and security teams; end users are not directly involved.

Overview

File Integrity Monitoring (FIM) in Microsoft Defender for Servers helps detect unauthorized changes to critical files, system registries, and application configurations. It is a key capability for identifying potential attacks or policy violations in both Windows and Linux environments.

Prerequisites

  • Defender for Servers Plan 2 must be enabled.
  • Microsoft Defender for Endpoint agent must be installed via Defender for Servers extensions.
  • Non-Azure machines must be connected using Azure Arc.
  • Required permissions: Workspace Owner or Security Admin to enable/disable FIM; Reader to view results 1.

Supported Platforms and Agent Versions

  • Windows: Minimum version 10.8760 (Windows Server 2016/2019/2022)
  • Linux: Minimum version 30.124082
  • Agent updates are automatic if autoprovisioning is enabled; otherwise, manual updates may be required 1.

How to Enable File Integrity Monitoring

  1. Sign in to the Azure portal.
  2. Go to Microsoft Defender for Cloud > Environment settings.
  3. Select the relevant subscription.
  4. Under Defender for Servers, click Settings.
  5. In the File Integrity Monitoring section, toggle the switch to On.
  6. Click Edit configuration:
    • Select a Log Analytics workspace to store monitoring data.
    • Choose which Windows registry keys, Windows files, and Linux files to monitor 1.

Migration Note

If you're using legacy agents like Microsoft Monitoring Agent (MMA) or Azure Monitor Agent (AMA), migration to the new FIM experience is required. Defender for Servers Plan 2 and the Defender for Endpoint agent are mandatory for the updated FIM 2.

Failing to enable FIM can result in undetected tampering of critical system files, increasing the risk of persistent threats. This capability supports the "Assume Breach" principle of Zero Trust by ensuring visibility into unauthorized changes across server workloads.

Reference