File Integrity Monitoring in Microsoft Defender for Cloud

File Integrity Monitoring (FIM) examines operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack.

Defender for Cloud recommends entities to monitor with FIM, and you can also define your own FIM policies or entities to monitor. FIM informs you about suspicious activity such as:

  • File and registry key creation or removal
  • File modifications (changes in file size, access control lists, and hash of the content)
  • Registry modifications (changes in size, access control lists, type, and content)

Many regulatory compliance standards require implementing FIM controls, such as PCI-DSS.

Which files should I monitor?

When choosing which files to monitor, consider the files that are critical for your system and applications. Monitor files that you don’t expect to change without planning. If you choose files that are frequently changed by applications or operating system (such as log files and text files) it will create noise, making it difficult to identify an attack.

Defender for Cloud provides the following list of recommended items to monitor based on known attack patterns:

Note

For the recommended items to monitor in FIM over Log Analytics, see Recommended items to monitor.

Linux Files Windows files Windows registry keys (HKLM = HKEY_LOCAL_MACHINE)
/bin C:\config.sys SOFTWARE\Microsoft\Cryptography\OID*
/bin/passwd C:\Windows\regedit.exe SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID*
/boot C:\Windows\System32\userinit.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
/etc/*.conf C:\Windows\explorer.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
/etc/cron.daily C:\autoexec.bat HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
/etc/cron.hourly C:\boot.ini HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/etc/cron.monthly C:\Windows\system.ini HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
/etc/cron.weekly C:\Windows\win.ini SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
/etc/crontab SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\
/etc/init.d SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
/opt/sbin SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
/sbin SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
/usr/bin SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
/usr/local/bin SECURITY\POLICY\SECRETS
/usr/local/sbin
/usr/sbin
/bin/login
/opt/bin