During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
In this article, we will show you how to enable File Integrity Monitoring and validate the integrity of your files on Windows and Linux machines so you can keep track of your files.
In This Article
Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:
1) Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or other clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
- Azure Defender for Azure DNS
- Azure Defender for Resource Manager
Some files shouldn’t change regularly, and if they are changed, that might be evidence of an attack. File Integrity Monitoring (FIM) is one of the advanced protection that is included in the Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) and Azure Defender for threat detection and response, which is something you must consider for your Windows and Linux systems whether they are running on Azure, on-premises or in other clouds.
File Integrity Monitoring (FIM) helps you to monitor the Windows registry and files of operating systems such as Windows and Linux application software and all the changes that might indicate an attack. FIM uses a comparison method to determine if the current state of the file is different from the last scan of the file. It can leverage this comparison to determine if valid or suspicious modifications have been made to your files.
To follow this article, you need to have the following:
1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Azure Security Center – Azure Defender enabled. File integrity monitoring is part of the Azure Security Center standard tier.
3) Log Analytics Workspace – To create a new workspace, follow the instructions in Create a Log Analytics workspace.
4) Azure storage account – To create a general-purpose storage account, follow the instructions described here.
5) Windows or Linux machines running on Azure VMs or on-premises with the Microsoft Monitoring Agent (MMA) installed and connected to the Log Analytics workspace.
Enable File Integrity Monitoring
By default, File Integrity Monitoring is going to be disabled on your workspace and you have to manually enable it. When you enable File Integrity Monitoring, you are targeting all the virtual machines that belong to a specific workspace. That’s why when you have multiple workspaces, you have to enable File Integrity Monitoring on each one of the workspaces.
To enable File Integrity Monitoring in Defender for Cloud, this should be done at the workspace level by following the steps below:
1) Open the Azure Portal and sign in with a user who has Security Admin privileges.
2) On the left navigation pane, click Security Center.
3) From the Security Center’s sidebar, under the ADVANCED CLOUD DEFENSE, open the File Integrity Monitoring page.
4) Choose the desired Log Analytics workspace for which you want to enable File Integrity Monitoring for your VMs. This depends on your configuration because, at this point, File Integrity Monitoring is going to retrieve all workspaces that are parts of this selected subscription, as well as the workspace that is not enabled in the standard tier.
Those workspaces were created and never upgraded to standard, they are still under the free tier, you have the option to ‘UPGRADE PLAN‘, which means that you first need to upgrade the workspace to standard, and then the button will change and you’re going to have the option to ‘ENABLE‘. In this example, we have a total of 4 servers that are connected to the workspace with a standard tier.
5) Once you enable and initialize File Integrity Monitoring on your workspace, it will take up to one hour to complete.
6) After nearly one hour when you click on the workspace, it is going to open up the File Integrity Monitoring dashboard and populate based on the results from the workspace. Notice here that I have 4 servers, again this could be Azure and Non-Azure machines (the icon color is the same (blue), I prefer to have the (purple) color for Non-Azure machines to be consistent with other Azure services such as ‘Azure Arc’, I hope that Microsoft will update the colors to differentiate between both).
In this example, the total changes were 641 (520 for Files and 121 for the Registry), and the other things that were also changed. I also want to make sure that you understand the experience that you are going to have. The ‘Settings‘ button won’t be active if you do not have the right privilege such as ‘Security Reader‘ to make changes.
7) When you click on ‘Settings‘, it comes straight to the blade shown below. This blade is where you are going to configure what you want to, basically, monitor. So everything shown here is recommended to monitor. Some things are enabled, and some others are not.
8) You can customize each one of those tabs. The Windows Registry, Windows files, the Linux files, the file content, and the Windows services. So you can customize it according to your own needs.
9) What I am interested to monitor here are Windows Files and Linux Files. To leverage the file content change tracking capability that allows you to view the file content of a changed file before and after the change, you have to enable that service by storing the file content data in a storage account.
10) Assuming you already have a general-purpose storage account provisioned in your subscription, click on the ‘File Content‘ tab and then click on ‘Link‘, then select the desired Azure subscription and provide your storage account name as shown in the screenshot below. Please note that by enabling this capability, you will incur additional costs based on the amount of data that will be uploaded to the storage account.
11) When you enable file content upload for all currently tracked files. This will update the “Upload File Content” column for all currently tracked file paths on the Windows and Linux file settings tabs from ‘false‘ to ‘true‘. Please note that ‘File Content‘ upload works only for ‘Windows Files‘ and ‘Linux Files‘ and NOT for ‘Windows Registry‘ or ‘Windows Services‘.
12) You can also add and remove file paths, as well as disable file content upload for an individual path. This will save storage capacity on your storage account and reduce your bill. So you have full flexibility on this level.
In this example, we will add a new custom path for Windows Files (C:\temp\*) as the ‘Folder‘ type with ‘Recursion‘ enabled. Please note that if recursion is enabled, then the ‘Path‘ must contain a wildcard at the end (*).
Now that the configuration is completed, you just need to wait and monitor for the file changes. In this example, I will put a couple of text files under C:\Temp\ folder on my Windows server to trigger the file changing capability.
Validate File Integrity Monitoring
Let’s say that you enabled this capability today, and then tomorrow you come back to the same File Integrity Monitoring dashboard and you start to look at the change. How can you see what is changed? You would need to click on the server name under the ‘Servers‘ tab.
This is going to create a query against your Log Analytics workspace and the query result is going to show what changed. And that’s an advanced capability because now you will go in and dig in to understand exactly what the changes were done.
To look for file configuration changes, in the Log Analytics workspace, you can run the query below. In this example, we can see two text files that were added and modified.
| where Computer == "ServerName"
| where ConfigChangeType in("Files")
| order by TimeGenerated
| render table
Now, if you just want to have a brief visualization of the change, you can come back to the same File Integrity Monitoring dashboard and then click on the ‘Changes‘ tab, there you will see all servers with all types of changes (files/registry), then you can search and just click on the line that you want to see the changes for. This is going to show the ‘Value Before‘ and the ‘Value after‘. What is shown in the screenshot below is, before I had all those things populated in this file, and now I have new changes (Value Before versus Value After).
So that’s another simple way to visualize the changes that were made instead of querying the Log Analytics workspace directly.
Tracking file content changes
Change Tracking and Inventory allows you to view the contents of a Windows or Linux file. As mentioned before, for each change to a file, Change Tracking and Inventory stores the contents of the file in an Azure Storage account. When you’re tracking a file, you can view its contents before or after a change by going to your Azure Automation Account | Configuration Management | Change tracking.
You can filter by Change Types (Daemons, Files, Registry, Software, Windows Services), and then click on the file that was modified as shown in the figure below.
Once you click on the file, you can see the change details by selecting ‘View File Content Changes‘ as shown in the figure below.
Then you can view the file content changes either inline or side by side as shown in the figure below. The red color means what was removed from the file, and the green color means what was added to the file.
At the time of this writing, change tracking for File Integrity Monitoring (FIM) in Azure Security Center requires an Azure Automation Account. You need to have an Azure automation account and then enable the service by going to your Azure Automation Account | Configuration Management | Change tracking.
This will enable consistent control and compliance of your VMs with Change Tracking and Inventory. This service is included with Azure virtual machines and Azure Arc machines. You only pay for logs stored in Log Analytics. This service requires both, a Log Analytics workspace which is already connected to Azure Security Center, and the Automation account where you enabled this service. Then make sure to enable ‘Change Tracking and Inventory‘ by selecting ‘Click to manage machines‘ as shown in the figure below.
This is a great capability of monitoring to keep track of your files including their Attributes and NTFS ACLs, especially for important servers so you can see all the changes that might indicate an attack.
How it works…
Turning on File Content Change Tracking and selecting a storage account will generate a shared access signature (SAS) URI that grants restricted write access to the selected storage account. The SAS URI will grant the Change Tracking service access to write file content resources to the storage account for a specified period. During the SAS URI generation, the container named “changetrackingblob” will be created in the selected storage account if it does not already exist as shown in the screenshot below.
A private access policy with write-only permission will be added to the container, and the SAS Url will be created with the access policy. The SAS Url can be revoked anytime by deleting the access policy or by turning off File Content Change Tracking.
If you open the container named “changetrackingblob“, you will see an individual blob under the name of each server as shown in the screenshot below.
If you drill and select any blob (server name), you will see all the files that are uploaded where Azure Security Center is keeping monitoring the changes. In this example, the new text files that were placed under the C:\temp\ folder on the Windows server are uploaded and shown below.
Then you click on any individual file here and download it directly from the blob.
File Integrity Monitoring in Azure Security Center monitors files that are enabled for activities such as Windows Files, Linux Files, registry creation and removal, file modifications such as a change in the file size, access controllers, and the hash of the content. It also allows you to monitor registry modifications. Change in the size, access control list, type, and content of the registry key modification.
It’s very important to emphasize that File Integrity Monitoring in Azure Security Center is based on the Azure Change Tracking solution.
How are you going to use File Integrity Monitoring to monitor your Windows and Linux machines in your environment? You are welcome to share your thoughts in the comment section below.
Additional resources I highly encourage you to check:
- Learn more about the enhanced Secure Score in Azure Security Center.
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
- Learn more about Azure Security Center, check the official documentation from Microsoft.
- Learn more about File Integrity Monitoring, check the official documentation from Microsoft.
- Learn how to export Azure Security Center Alerts and Recommendations.
- Workflow automation in Azure Security Center to automate your security response operations.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.