Enabling FIM with Custom DCR

Copper Contributor

Hello all,


I'm trying to implement File Integrity Monitoring from Microsoft Defender for Cloud. With MMA, it is pretty much straight forward but with little form of granularity. With AMA, it comes with some form of granularity by using Data connection Rules. From Microsoft's documentation, to implement FIM with AMA, they only have it documented using quick-fix method from Microsoft Defender for Cloud. According to the documentation, that method will create a default Log Analytic Workspace, ChangeTracking and DCR.


I already have a custom DCR scoped at Subscription level to install AMA on VMs and data destination to my Log analytic Workspace. My challenge at the moment is that, FIM on Defender for Cloud does not recognize custom DCR besides the default one it creates from Microsoft Defender for Cloud's recommendation quick fix.


Any suggestion will be appreciated.


Thank you,


2 Replies



May I know VM was under Azure? If yes, suppose AMA is automatically installed as an extension after you deploy Data Collection Rule (DCR) to Azure Monitor or Sentinel Data Connector


Yes. The VM is under Azure. Also, yes AMA is automatically installed as an extension as I deployed DCR to Azure Monitor