Enable file integrity monitoring for Windows and Linux (FIM)on Azure

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. Microsoft have also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. In this article, I will show you how to enable File Integrity Monitoring and validate the integrity of your files in Windows and Linux machines so you can keep track of your files. Regulatory compliance standards such as PCI-DSS & ISO 17799 require implementing FIM controls.

You can refer link for details on how to enable it. It is fairly simple and can easily be done. Be mindful of additional costing of enabling defender on cloud. All cloud providers make you enable a ton of feature which ultimately lead to additional cost. More than the process of how to enable FIM, I was curious on how FIM actually works in backend, like reverse engineering the solution.

Need for FIM?

Some files shouldn’t change regularly, and if they are changed, that might be evidence of an attack. File Integrity Monitoring (FIM) is one of the advanced protection that is included in the Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) and Azure Defender for threat detection and response, which is something you must consider for your Windows and Linux systems whether they are running on Azure, on-premises or in other clouds.

File Integrity Monitoring (FIM) helps you to monitor the Windows registry and files of operating systems such as Windows and Linux application software and all the changes that might indicate an attack. FIM uses a comparison method to determine if the current state of the file is different from the last scan of the file. It can leverage this comparison to determine if valid or suspicious modifications have been made to your files.

File Integrity Monitoring in Azure Security Center monitors files that are enabled for activities such as Windows Files, Linux Files, and registry creation and removal, file modifications such as a change in the file size, access controllers, and the hash of the content. It also allows you to monitor registry modifications. Change in the size, access control list, type, and content of the registry key modification.