FIM (File Integrity Monitoring) arrives at Azure Security Center

Author: Rakesh Chitroda

Imagine a service that monitors any changes in your files and operating system records, as well as in your applications or other type of file to detect any indication of attack or infection... This exists and is already available as a preview in Azure Security Center.

FIM ( File Integrity Supervision in Spanish) uses the comparison method to detect variations between the current state and the state of the previous file scan, so that it can help us determine if it is an authorized and safe modification, or otherwise, if we are facing a suspicious modification.

The integration of FIM into the Security Center guarantees the integrity of the Windows files and registry, as well as the Linux files. It is as simple as selecting the files that we want to have monitored in a granular way by activating FIM, and Security Center will be in charge of providing us with the control of:

  • Creation and deletion of files and records.
  • File modification (size changes, access control lists and content hash)
  • Registry modifications (changes in size, checklists, content type, etc.)

FIM has its own predefined policies to allow us to start up the service quickly and easily, but it also allows us to define our own policies or entities to monitor. In this article we explain how to do it.

What files should I monitor?

When we are going to choose files to monitor, the first thing we should do is think about the files that are critical to our system and applications. Consider choosing files that we do not expect to receive changes without prior planning, we must keep in mind that choosing application files or Operating System that have changes frequently (such as log files and text) can generate a lot of noise and make it difficult to identify an attack.

The Security Center itself will recommend which files we should monitor by default according to known attack patterns that include file and registry changes.

How to use FIM

  • We're going to the Azure Security Center dashboard
  • In the left menu we will find Advanced Cloud Defense> File integrity monitoring

After accessing FIM we can see very relevant information for each work area formed by Windows, Linux or virtual machines. Information such as the number of changes detected during the last week, or a script if it is disabled. It will also indicate the amount of equipment or virtual machines in each area, geographic location and under which Azure subscription you are.

Activate FIM

From the same File Integrity Monitoring we must click on the Enable button, and a new view will be opened where we can see the number of machines with Windows and Linux, as well as a series of recommended configurations for this work area.

Microsoft Azure Application Migration Services

On the recommended configurations, we can expand "Windows Files, Registry and Linux Files" to see the complete list of recommendations. You can change these settings at any time.

Uncheck the check of any recommendation that we do not want to apply FIM, and click on "Enable File Integrity Monitoring"

Let's get to know the FIM panel

The FIM control panel will show us about the work areas with FIM enabled. When opening it, we can see a simple summary of the equipment connected to the work area, but if we click on "Changes", we will see more detailed information on the following points:

  • Total number of machines connected to the work area
  • Total number of changes that have occurred during a given period of time.
  • Last 30 minutes, last 1, 6 or 24 hours, or last 7 or 30 days.
  • Breakdown of type of changes (files, records)
  • Breakdown of the category of change (modified, added, deleted)

We also have the Search option, which will allow us to find more comprehensive information, and if we click on any change, it will show us more detailed information. For example, here we see a change made to the registry:

Microsoft Azure Cloud for Big Data Analytics

Add, edit or delete a monitoring rule

  1. From the FIM panel, click on Settings at the top, and the Workspace Configuration will open, where we can add new monitoring entities, or edit existing ones.
  2. We will see three tabs Windows Logs, Windows Files and Linux Files. Click on the tab on which we want to add a new entity, and then click on Add.
  3. Now we just have to complete the fields with the requested information, some are required fields. We will show two examples, Windows Registry and Linux Files.

It is important that we remember how we got there, because if we want to delete, edit or simply disable one of these rules, we must do it right there.

That simple is how we will achieve that extra security on our Windows and Linux machines, where at all times we can control the integrity of our Windows and Linux files, as well as Windows records.