Merge pull request #218206 from AlizaBernstein/WI-2004383-enable-FIM

v-dirichards · web-flow · commit 29dfffb04cf7 · 2022-12-08T09:40:51.000-06:00
Wi 2004383 enable fim
diff --git a/articles/defender-for-cloud/file-integrity-monitoring-enable-ama.md b/articles/defender-for-cloud/file-integrity-monitoring-enable-ama.md
@@ -4,14 +4,12 @@ description: Learn how to enable File Integrity Monitor when you collect data wi
 author: bmansheim
 ms.author: benmansheim
 ms.topic: how-to
-ms.date: 09/04/2022
+ms.date: 11/14/2022
 ---
 # Enable File Integrity Monitoring when using the Azure Monitor Agent
 
 To provide [File Integrity Monitoring (FIM)](file-integrity-monitoring-overview.md), the Azure Monitor Agent (AMA) collects data from machines according to [Data Collection Rules](../azure-monitor/essentials/data-collection-rule-overview.md). When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.
 
-FIM uses the Azure Change Tracking solution to track and identify changes in your environment. When File Integrity Monitoring is enabled, you have a **Change Tracking** resource of type **Solution**. Learn about [data collection for Change Tracking](../automation/change-tracking/overview.md#change-tracking-and-inventory-data-collection).
-
 File Integrity Monitoring with the Azure Monitor Agent offers:
 
 - **Compatibility with the unified monitoring agent** - Compatible with the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) that enhances security, reliability, and facilitates multi-homing experience to store data.
@@ -20,8 +18,11 @@ File Integrity Monitoring with the Azure Monitor Agent offers:
 - **Multi-homing experience** – Provides standardization of management from one central workspace. You can [transition from Log Analytics (LA) to AMA](../azure-monitor/agents/azure-monitor-agent-migration.md) so that all VMs point to a single workspace for data collection and maintenance.
 - **Rules management** – Uses [Data Collection Rules](https://azure.microsoft.com/updates/azure-monitor-agent-and-data-collection-rules-public-preview/) to configure or customize various aspects of data collection. For example, you can change the frequency of file collection.
 
-> [!NOTE]
-> If you [remove the **Change Tracking** resource](../automation/change-tracking/remove-feature.md#remove-changetracking-solution), you will also disable the File Integrity Monitoring in Defender for Cloud.
+In this article you'll learn how to:
+
+   - [Enable File Integrity Monitoring with AMA](#enable-file-integrity-monitoring-with-ama)
+   - [Edit the list of tracked files and registry keys](#edit-the-list-of-tracked-files-and-registry-keys)
+   - [Exclude machines from File Integrity Monitoring](#exclude-machines-from-file-integrity-monitoring) 
 
 ## Availability
 
@@ -42,22 +43,21 @@ To track changes to your files on machines with AMA:
 
 ## Enable File Integrity Monitoring with AMA
 
-To enable File Integrity Monitoring (FIM):
-
-1. Use the FIM recommendation to select machines for file integrity monitoring:
-    1. From Defender for Cloud's sidebar, open the **Recommendations** page.
-    1. Select the recommendation [File integrity monitoring should be enabled on machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9b7d740f-c271-4bfd-88fb-515680c33440). Learn more about [Defender for Cloud recommendations](review-security-recommendations.md).
-    1. Select the machines that you want to use File Integrity Monitoring on, select **Fix**, and select **Fix X resources**.
-
-    The recommendation fix:
+To enable File Integrity Monitoring (FIM), use the FIM recommendation to select machines for file integrity monitoring:
 
-    - Installs the `ChangeTracking-Windows` or `ChangeTracking-Linux` extension on the machines.
-    - Generates a data collection rule (DCR) for the subscription, named `Microsoft-ChangeTracking-[subscriptionId]-default-dcr`, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
-    - Creates a new Log Analytics workspace with the naming convention `defaultWorkspace-[subscriptionId]-fim` and with the default workspace settings.
+   1. From Defender for Cloud's sidebar, open the **Recommendations** page.
+   1. Select the recommendation [File integrity monitoring should be enabled on machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9b7d740f-c271-4bfd-88fb-515680c33440). Learn more about [Defender for Cloud recommendations](review-security-recommendations.md).
+   1. Select the machines that you want to use File Integrity Monitoring on, select **Fix**, and select **Fix X resources**.
 
-    You can update the DCR and Log Analytics workspace settings later.
+        The recommendation fix:
 
-1. From Defender for Cloud's sidebar, go to **Workload protections** > **File integrity monitoring**, and select the banner to show the results for machines with Azure Monitor Agent.
+        - Installs the `ChangeTracking-Windows` or `ChangeTracking-Linux` extension on the machines.
+        - Generates a data collection rule (DCR) for the subscription, named `Microsoft-ChangeTracking-[subscriptionId]-default-dcr`, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
+        - Creates a new Log Analytics workspace with the naming convention `defaultWorkspace-[subscriptionId]-fim` and with the default workspace settings.
+   
+        You can update the DCR and Log Analytics workspace settings later.
+   
+ 1. From Defender for Cloud's sidebar, go to **Workload protections** > **File integrity monitoring**, and select the banner to show the results for machines with Azure Monitor Agent.
 
     :::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-banner.png" alt-text="Screenshot of banner in File integrity monitoring to show the results for machines with Azure Monitor Agent.":::
 
@@ -95,7 +95,8 @@ Every machine in the subscription that is attached to the DCR is monitored. You
 
 To exclude a machine from File Integrity Monitoring:
 
-- In the list of monitored machines in the FIM results, select the menu (**...**) for the machine and select **Detach data collection rule**.
+1.  In the list of monitored machines in the FIM results, select the menu (**...**) for the machine
+1. Select **Detach data collection rule**.
 
 :::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-detach-rule.png" alt-text="Screenshot of the option to detach a machine from a data collection rule and exclude the machines from File Integrity Monitoring." lightbox="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-detach-rule.png":::
 
diff --git a/articles/defender-for-cloud/file-integrity-monitoring-enable-log-analytics.md b/articles/defender-for-cloud/file-integrity-monitoring-enable-log-analytics.md
@@ -4,16 +4,18 @@ description: Learn how to enable File Integrity Monitoring when you collect data
 author: bmansheim
 ms.author: benmansheim
 ms.topic: how-to
-ms.date: 09/04/2022
+ms.date: 11/14/2022
 ---
-# Enable File Integrity Monitoring when using the Log Analytics agent
+# File Integrity Monitoring using the Log Analytics agent
 
 To provide [File Integrity Monitoring (FIM)](file-integrity-monitoring-overview.md), the Log Analytics agent uploads data to the Log Analytics workspace. By comparing the current state of these items with the state during the previous scan, FIM notifies you if suspicious modifications have been made.
 
-FIM uses the Azure Change Tracking solution to track and identify changes in your environment. When File Integrity Monitoring is enabled, you have a **Change Tracking** resource of type **Solution**. For data collection frequency details, see [Change Tracking data collection details](../automation/change-tracking/overview.md#change-tracking-and-inventory-data-collection).
+In this article, you'll learn how to:
 
-> [!NOTE]
-> If you remove the **Change Tracking** resource, you will also disable the File Integrity Monitoring feature in Defender for Cloud.
+- [Enable File Integrity Monitoring with the Log Analytics agent](#enable-file-integrity-monitoring-with-the-log-analytics-agent)
+- [Disable File Integrity Monitoring](#disable-file-integrity-monitoring)
+- [Monitor workspaces, entities, and files](#monitor-workspaces-entities-and-files)
+- [Compare baselines using File Integrity Monitoring](#compare-baselines-using-file-integrity-monitoring)
 
 ## Availability
 
@@ -26,15 +28,15 @@ FIM uses the Azure Change Tracking solution to track and identify changes in you
 
 ## Enable File Integrity Monitoring with the Log Analytics agent
 
-FIM is only available from Defender for Cloud's pages in the Azure portal. There is currently no REST API for working with FIM.
+FIM is only available from Defender for Cloud's pages in the Azure portal. There's currently no REST API for working with FIM.
 
 1. From the **Workload protections** dashboard's **Advanced protection** area, select **File integrity monitoring**.
 
    :::image type="content" source="./media/file-integrity-monitoring-overview/open-file-integrity-monitoring.png" alt-text="Screenshot of screenshot of opening the File Integrity Monitoring dashboard." lightbox="./media/file-integrity-monitoring-overview/open-file-integrity-monitoring.png":::
 
     The following information is provided for each workspace:
 
-    - Total number of changes that occurred in the last week (you may see a dash "-“ if FIM is not enabled on the workspace)
+    - Total number of changes that occurred in the last week (you may see a dash "-“ if FIM isn't enabled on the workspace)
     - Total number of computers and VMs reporting to the workspace
     - Geographic location of the workspace
     - Azure subscription that the workspace is under
@@ -45,25 +47,21 @@ FIM is only available from Defender for Cloud's pages in the Azure portal. There
 
     - ![Upgrade plan icon.][4] Upgrade the workspace to use enhanced security features. This icon indicates that the workspace or subscription isn't protected with Microsoft Defender for Servers. To use the FIM features, your subscription must be protected with this plan. For more information, see [Microsoft Defender for Cloud's enhanced security features](enhanced-security-features-overview.md).
 
-    - ![Enable icon][3] Enable FIM on all machines under the workspace and configure the FIM options. This icon indicates that FIM is not enabled for the workspace.
+    - ![Enable icon][3] Enable FIM on all machines under the workspace and configure the FIM options. This icon indicates that FIM isn't enabled for the workspace. If there's no enable or upgrade button, and the space is blank, it means that FIM is already enabled on the workspace.
 
         :::image type="content" source="./media/file-integrity-monitoring-overview/workspace-list-fim.png" alt-text="Screenshot of enabling FIM for a specific workspace.":::
 
-    > [!TIP]
-    > If there's no enable or upgrade button, and the space is blank, it means that FIM is already enabled on the workspace.
-
 1. Select **ENABLE**. The details of the workspace including the number of Windows and Linux machines under the workspace is shown.
 
     :::image type="content" source="./media/file-integrity-monitoring-overview/workspace-fim-status.png" alt-text="Screenshot of FIM workspace details page.":::
 
    The recommended settings for Windows and Linux are also listed.  Expand **Windows files**, **Registry**, and **Linux files** to see the full list of recommended items.
 
-1. Clear the checkboxes for any recommended entities you do not want to be monitored by FIM.
+1. Clear the checkboxes for any recommended entities you don't want to be monitored by FIM.
 
 1. Select **Apply file integrity monitoring** to enable FIM.
 
-> [!NOTE]
-> You can change the settings at any time. Learn more about [editing monitored entities](#edit-monitored-entities).
+You can change the settings at any time. Learn more about [editing monitored entities](#edit-monitored-entities).
 
 ### Disable File Integrity Monitoring
 
@@ -151,7 +149,7 @@ The **Changes** tab (shown below) lists all changes for the workspace during the
 
     The **Workspace Configuration** opens.
 
-1. One the **Workspace Configuration**:
+1. On the **Workspace Configuration**:
 
     1. Select the tab for the type of entity that you want to add: Windows registry, Windows files, Linux Files, file content, or Windows services. 
     1. Select **Add**. 
@@ -169,7 +167,7 @@ The **Changes** tab (shown below) lists all changes for the workspace during the
 Use wildcards to simplify tracking across directories. The following rules apply when you configure folder monitoring using wildcards:
 -   Wildcards are required for tracking multiple files.
 -   Wildcards can only be used in the last segment of a path, such as C:\folder\file or /etc/*.conf
--   If an environment variable includes a path that is not valid, validation will succeed but the path will fail when inventory runs.
+-   If an environment variable includes a path that isn't valid, validation will succeed but the path will fail when inventory runs.
 -   When setting the path, avoid general paths such as c:\*.* which will result in too many folders being traversed.
 
 ## Compare baselines using File Integrity Monitoring
@@ -187,7 +185,7 @@ The FIM registry hive defaults provide a convenient way to monitor recursive cha
 
 ### Add a custom registry check
 
-FIM baselines start by identifying characteristics of a known-good state for the operating system and supporting application.  For this example, we will focus on the password policy configurations for Windows Server 2008 and higher.
+FIM baselines start by identifying characteristics of a known-good state for the operating system and supporting application.  For this example, we'll focus on the password policy configurations for Windows Server 2008 and higher.
 
 |Policy Name                 | Registry Setting|
 |----------------------------|-----------------|
@@ -207,7 +205,8 @@ FIM baselines start by identifying characteristics of a known-good state for the
 
 To configure FIM to monitor registry baselines:
 
-- In the **Add Windows Registry for Change Tracking** window, in the **Windows Registry Key** text box, enter the following registry key:
+1. In the **Add Windows Registry for Change Tracking** window, select the **Windows Registry Key** text box.
+1. Enter the following registry key:
 
     ```
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
@@ -230,7 +229,7 @@ File Integrity Monitoring data resides within the Azure Log Analytics/Configurat
 
  1. Set a time range to retrieve a summary of changes by resource.
 
-    In the following example, we are retrieving all changes in the last fourteen days in the categories of registry and files:
+    In the following example, we're retrieving all changes in the last 14 days in the categories of registry and files:
 
     ```
     ConfigurationChange
@@ -241,7 +240,7 @@ File Integrity Monitoring data resides within the Azure Log Analytics/Configurat
 
 1. To view details of the registry changes:
 
-    1. Remove **Files** from the **where** clause, 
+    1. Remove **Files** from the **where** clause. 
     1. Remove the summarization line and replace it with an ordering clause:
 
     ```
diff --git a/articles/defender-for-cloud/file-integrity-monitoring-overview.md b/articles/defender-for-cloud/file-integrity-monitoring-overview.md
@@ -4,11 +4,13 @@ description: Learn about tracking changes to system files and registry keys with
 author: bmansheim
 ms.author: benmansheim
 ms.topic: how-to
-ms.date: 09/04/2022
+ms.date: 11/14/2022
 ---
 # File Integrity Monitoring in Microsoft Defender for Cloud
 
-File Integrity Monitoring (FIM) examines operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack. FIM lets you take advantage of [Change Tracking](../automation/change-tracking/overview.md) directly in Defender for Cloud. 
+File Integrity Monitoring (FIM) examines operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack.  
+
+FIM (file integrity monitoring) uses the Azure Change Tracking solution to track and identify changes in your environment. When FIM is enabled, you have a **Change Tracking** resource of type **Solution**. If you remove the **Change Tracking** resource, you'll also disable the File Integrity Monitoring feature in Defender for Cloud. FIM lets you take advantage of [Change Tracking](../automation/change-tracking/overview.md) directly in Defender for Cloud. For data collection frequency details, see [Change Tracking data collection details](../automation/change-tracking/overview.md#change-tracking-and-inventory-data-collection).
 
 Defender for Cloud recommends entities to monitor with FIM, and you can also define your own FIM policies or entities to monitor. FIM informs you about suspicious activity such as:
 
