Audit FIM Monitored Workspaces

Implementation Effort: Low – Requires enabling File Integrity Monitoring (FIM) and reviewing data in Log Analytics workspaces.

User Impact: Low – Auditing is performed by security teams; no direct impact on end users.

Overview

Auditing File Integrity Monitoring (FIM) in Microsoft Defender for Servers helps security teams track and analyze changes to critical system files, registries, and application components. FIM is available in Defender for Servers Plan 2 and uses the Microsoft Defender for Endpoint agent to collect telemetry from monitored machines. This data is stored in a Log Analytics workspace, specifically in the MDCFileIntegrityMonitoringEvents table, where it can be queried and analyzed for suspicious or unauthorized changes.

Administrators can audit FIM-monitored workspaces by setting time ranges, filtering by resource, and reviewing change metadata such as file paths, hash values, user accounts, and initiating processes. This helps identify potential threats, meet compliance requirements (e.g., PCI-DSS), and reduce the risk of undetected tampering.

This capability supports the "Assume Breach" principle of Zero Trust by ensuring continuous visibility into file-level changes that could indicate compromise or insider threats.

Reference

• Overview of File Integrity Monitoring in Microsoft Defender for Cloud
• Enable File Integrity Monitoring
• Review Machine Changes with File Integrity Monitoring