File Integrity Monitoring

%3CLINGO-SUB%20id%3D%22lingo-sub-3292865%22%20slang%3D%22en-US%22%3EFile%20Integrity%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3292865%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20large%20estate%20of%20Windows%20Enterprise%2010%2021H2%20machines%20on-prem%20(not%20Azure%20VMs)%20running%20Windows%20Defender%20AV%20with%20endpoint%20protection%20enabled.%20I%20wish%20to%20monitor%20certain%20file%20for%20changes.%20I%20used%20do%20this%20with%20OSSEC%20but%20was%20wondering%20if%20I%20can%20do%20this%20with%20Defender%3F%20I%20see%20there%20is%20some%20capability%20for%20this%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdefender-for-cloud%2Ffile-integrity-monitoring-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edefender%20for%20cloud%3C%2FA%3E%20but%20I%20assume%20this%20only%20works%20for%20Azure%20deployed%20Windows%20instances%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3364642%22%20slang%3D%22en-US%22%3ERe%3A%20File%20Integrity%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3364642%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20feature%20requires%20Defender%20for%20Servers%20Plan%202.%3CBR%20%2F%3EDefender%20for%20Servers%20includes%20a%20Defender%20for%20Endpoint%20license%2C%20but%20also%20includes%20several%20other%20unrelated%20features%2C%20such%20as%20this%20File%20Integrity%20Monitoring.%3CBR%20%2F%3E%3CBR%20%2F%3EDefender%20for%20Servers%20can%20be%20used%20with%20Azure%20Arc%20on%20machines%20outside%20of%20Azure%2C%3CBR%20%2F%3Ebut%20this%20does%20not%20support%20Windows%20Clients%2C%20so%20I%20don't%20think%20this%20works%20in%20your%20case.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-arc%2Fservers%2Fprerequisites%23supported-environments%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-arc%2Fservers%2Fprerequisites%23supported-environments%3C%2FA%3E%20(Even%20if%20you%20could%20use%20Defender%20for%20Servers%2C%20this%20would%20be%20very%20expensive%20since%20you%20would%20be%20billed%20per%20machines)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3370056%22%20slang%3D%22en-US%22%3ERe%3A%20File%20Integrity%20Monitoring%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3370056%22%20slang%3D%22en-US%22%3EYou%20could%20probably%20use%20plain%20old%20file%20system%20auditing%20for%20a%20good%20portion%20of%20this%20goal.%3C%2FLINGO-BODY%3E
Contributor

I have a large estate of Windows Enterprise 10 21H2 machines on-prem (not Azure VMs) running Windows Defender AV with endpoint protection enabled. I wish to monitor certain file for changes. I used do this with OSSEC but was wondering if I can do this with Defender? I see there is some capability for this in defender for cloud but I assume this only works for Azure deployed Windows instances?

2 Replies

This feature requires Defender for Servers Plan 2.
Defender for Servers includes a Defender for Endpoint license, but also includes several other unrelated features, such as this File Integrity Monitoring.

Defender for Servers can be used with Azure Arc on machines outside of Azure,
but this does not support Windows Clients, so I don't think this works in your case.
https://docs.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#supported-environments (Even if you could use Defender for Servers, this would be very expensive since you would be billed per machines)

You could probably use plain old file system auditing for a good portion of this goal.