Introducing the new File Integrity Monitoring with Defender for Endpoint integration

As part of the Log Analytics agent deprecation, Defender for Servers has introduced a new simplification strategy aiming at significantly simplifying the onboarding process and requirements needed to protect servers in the cloud, while enhancing existing capabilities and adding new ones.  

 

According to this strategy, all Defender for Servers capabilities are provided over Defender for Endpoint or cloud-native capabilities and agentless scanning for VMs, without relying on either Log Analytics Agent (MMA) or Azure Monitor Agent (AMA). 

This hybrid approach combines the strengths of agent-based and agentless protection, offers multi-layered security for servers. While the agent provides in-depth security and real-time detection and response, agentless and cloud-native capabilities deliver enhanced coverage, full visibility within hours, with no performance impact on machines. Security findings from both, agent-based and agentless approaches, are seamlessly integrated in Defender for Cloud, tailored to protect servers in multicloud environments.

 

The final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Microsoft Defender for Endpoint, which marks a significant milestone in the Defender for Servers simplification journey. 

 

The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance. 

 

Introducing the new FIM over MDE

The new version of File Integrity Monitoring (FIM) replaces the legacy experience based on Log Analytics Agent (MMA), which is set for deprecation. It introduces several significant improvements over the previous version: 

• Ease of Onboarding: The new FIM version offers a simple onboarding process with Microsoft Defender for Endpoint as the only prerequisite, eliminating the need for additional solution configurations or collection rules. This makes it easy to integrate FIM into existing security frameworks. 

• Built-in support for key security regulatory compliance standards: File Integrity Monitoring supports PCI-DSS, CIS, NIST, and other standards, allowing you to easily maintain compliance and meet industry requirements effortlessly. 

• Additional information about the user and the process initiated the change: We added additional meta-data for each change- the user and the process which initiated the change. This information enhances security investigations of file alterations, and crucial when it comes to potential attacks and security threats originated in unauthorized file changes.  

• Data Allowance Inclusion: For Defender for Servers Plan 2 customers, events collected for FIM powered by Defender for Endpoint are included in the data types that qualify for the 500MB data allowance benefit. 

While we have introduced multiple improvements in the new FIM version powered by Defender for Endpoint, we’ve also promised the preservation of its core capability: continuous real-time monitoring. This key capability is crucial, providing instance monitoring on critical file paths and registries. The moment a change occurs, an event is generated and reflected with the relevant information, enabling swift investigation and response, ensuring the ongoing security of your environment. 

 

Differences between the previous and the new FIM versions  

The improved FIM experience powered by Defender for Endpoint replaces a legacy experience set for deprecation with the Log Analytics Agent (MMA) retirement. Both versions hold several differences: 

 

	Legacy FIM (MMA)	New version (Defender for Endpoint)
Agent platform	Log Analytics (MMA + Change Tracking extension)	Defender for Endpoint (as part of Defender for Servers' integration)
Experience	Defender for Cloud + Change tracking	Native in Microsoft Defender for Cloud
Enablement scope (including defining monitoring rules)	Workspace	Subscription
Data store for change logs	Workspace of enablement	Workspace defined by customer
Change information	File and change information	File and change information  Account and initiating process details
Full customization of files/folders/keys	Available	Not supported at this stage
Compliance validation through Regulatory Compliance	Not available	Available
FIM data as part of the 500-mb benefit	FIM data not included	FIM data included in supported data types

 

How can I migrate to FIM powered by MDE?

To help you seamlessly migrate your previous set of monitoring rules from the MMA-based FIM to the new FIM version powered by Defender for Endpoint, we’ve introduced an in-product migration experience, which is accessible from the FIM management blade.  

 

This migration experience allows you to review the current environments with legacy FIM enabled, export your legacy FIM rules, and migrate to the new File Integrity Monitoring on subscriptions with Defender for Servers Plan 2 enabled.

 

File Integrity Monitoring powered by Defender for Endpoint is a configuration that is enabled on your Azure subscription, other than the legacy FIM which was enabled on a Log Analytics workspace. It comes with default monitoring rules that you can enable on your preference, but you can also migrate existing, workspace-based FIM settings to your Azure subscription.  The new FIM migration experience is designed to support you with this process.

 

Figure 1 – Click this banner to access the FIM migration experience

As part of the migration, there are several considerations to take into account: 

1. The migration tool allows you to transfer existing monitoring rules to the new File Integrity Monitoring. Custom and legacy built-in rules that are not part of the new experience cannot be migrated, but you can export them into a JSON file. 
2. The migration tool will list all machines in a subscription versus all machines that have been onboarded to the legacy FIM. Since onboarding previously required MMA to be connected to your Log Analytics workspace, machines that were not connected via MMA but which had Defender for Servers Plan 2 enabled did not benefit from FIM in the legacy experience. As soon as the new FIM is enabled on your Azure subscription, all machines underneath this scope will benefit from File Integrity Monitoring. 
3. While the new FIM does not require an agent connection to a Log Analytics workspace, the migration tool will ask you for a source and target workspace.
   • The source workspace is the one you want to transfer existing rules from into the new FIM. 
   • The target workspace is the workspace change logs will be written to by Defender for Cloud as soon as a monitored file or registry has been changed. 
4. Once the new FIM is enabled on your subscription, all machines underneath this scope will be covered by the same FIM rules. In order to exempt individual machines from FIM coverage, you can downgrade some of them to Defender for Servers Plan 1 by leveraging the resource-level onboarding capability of Defender for Servers.

You can start the migration wizard by clicking the Take Action button, or by changing the navigation tab to Migrate to the new FIM. 

 

Figure 2 – Start the FIM migration experience

Once you open the migration wizard, it will show you all subscriptions that currently host machines which are configured for the legacy FIM.

The Total machines on subscription column indicates the total amount of machines (Azure VMs and non-Azure machines connected via Azure Arc) in that subscription, whereas the Machines configured for FIM column shows the number of machines that are configured for the legacy FIM experience. In other words, these are the machines that have MMA deployed and connected to the FIM-enabled workspace that is shown in the Related workspaces column.  

Please note that there might be multiple workspaces in this column as machines in one subscription can be connected to different workspaces that have the legacy File Integrity Monitoring solution configured. 

 

In order to start the migration for your subscription, click the Migrate link, as shown below. 

 

Figure 3 – Start the migration for one subscription

The wizard will show you a detailed list of all machines that are connected to a legacy FIM workspace. Machines that are currently not connected to a workspace and, therefore, don’t benefit from the legacy FIM are also reflected. 

 

Figure 4 – Review machines of the selected subscription

When clicking Next, the wizard will allow you to review the current configuration on the workspace you select as the migration source. You can switch the tabs to review Windows registry, Windows and Linux files rules.  

The Can be migrated column will indicate if the specific rule that was found on the workspace can be migrated to the new FIM solution. Rules that cannot be migrated can be either custom rules created by the customers, or legacy built-in rules that are not part of the new experience. 

For further reference, you can export the current configuration by clicking on the Save workspace settings as file link. It will then generate a JSON file that will be downloaded to your device. 

 

Figure 5 – Review current settings and export to JSON file

When scrolling further down, the Migrate settings blade also allows you to select the target workspace. This workspace is used to export change logs into. You can either select the same workspace you are migrating from, or select a different workspace.

 

Figure 6 – Select the target workspace for change logs

With a click on Next, the wizard takes you to the final blade which will show a summary of settings that will be migrated to the new FIM experience, and you can finalize the migration by clicking the Migrate button. 

 

Figure 7 – Finalize the migration

Once you finalize the migration, the subscription will be removed from the migration wizard start page and migrated rules will be applied. 

Note that the migration wizard will only enable selected monitoring rules on your subscription; you cannot rerun the wizard to migrate rules from additional or multiple workspaces to the same subscription.

 

As a final step, you should disable the legacy File Integrity Monitoring or alternatively, remove Log Analytics Agent from your environment.

 

Q&A

How can I disable the legacy FIM solution in the workspace? 

In order to disable the legacy FIM solution, please refer to the documented guidance for Log Analytics Agent (MMA) or Azure Monitor Agent (AMA). 

 

How can I remove Log Analytics agent as part of Defender for Cloud? 

In order to remove the agent from your machines, you need to follow these two steps: 

1. Disable Log Analytics auto-provisioning on your subscription. 
2. Remove the agent by using the Log Analytics agent removal utility 

 

Is MDE/sense agent update required to receive FIM new experience over Defender for Endpoint (MDE)? 

No, as long as MDE integration is enabled on the subscription and installed successfully on the machine, customers can onboard and use FIM experience. Customers can use this workbook to view MDE enablement status in their environment - https://aka.ms/DfServersDashboard 

 

What permissions are required to enable File Integrity Monitoring, or to migrate to the new solution?

The account that is used to enable File Integrity Monitoring, or to migrate settings to the new solution requires the following set of permissions:

• On the target subscription, Security Admin permissions need to be assigned.
• On the target workspace, Owner permissions need to be assigned

 

Acknowledgements

Special thanks to Tom Janetscheck, Senior Product Manager for the collaboration on this article.