SOLVED

File Integrity Monitoring

Frequent Contributor

I have a large estate of Windows Enterprise 10 21H2 machines on-prem (not Azure VMs) running Windows Defender AV with endpoint protection enabled. I wish to monitor certain file for changes. I used do this with OSSEC but was wondering if I can do this with Defender? I see there is some capability for this in defender for cloud but I assume this only works for Azure deployed Windows instances?

5 Replies
best response confirmed by shocko (Frequent Contributor)
Solution

This feature requires Defender for Servers Plan 2.
Defender for Servers includes a Defender for Endpoint license, but also includes several other unrelated features, such as this File Integrity Monitoring.

Defender for Servers can be used with Azure Arc on machines outside of Azure,
but this does not support Windows Clients, so I don't think this works in your case.
https://docs.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#supported-environments (Even if you could use Defender for Servers, this would be very expensive since you would be billed per machines)

You could probably use plain old file system auditing for a good portion of this goal.
File system auditing easily bypassed by Malware. I think I might have to back to good old OSSEC ....
Thanks! I think I will have to look at a 3rd party solution here.
Do you have any links about malware bypassing file system auditing? I'm not familiar with those techniques. I just did some searching but only managed to get more information about auditing.