Merge pull request #210175 from bmansheim/fim-for-ama

Enable File Integrity Monitoring for use with AMA

Author: v-regandowner

.openpublishing.redirection.defender-for-cloud.json

@@ -710,6 +710,11 @@
             "redirect_url": "/azure/defender-for-cloud/defender-for-containers-usage",
             "redirect_document_id": true
         },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/file-integrity-monitoring-usage.md",
+            "redirect_url": "/azure/defender-for-cloud/file-integrity-monitoring-enable-log-analytics",
+            "redirect_document_id": true
+        },
         {
             "source_path_from_root": "/articles/defender-for-cloud/release-notes.md#auto-deployment-of-azure-monitor-agent-preview",
             "redirect_url": "/azure/defender-for-cloud/release-notes#azure-monitor-agent-integration-now-in-preview",

articles/defender-for-cloud/TOC.yml

@@ -206,7 +206,7 @@
     displayName: hybrid, arc, Defender for Servers
     items:
     - name: Overview
-      displayName: VM, JIT, plan 1, plan 2, plans, vulnerability assessment, threat management, defender for endpoint, vulnerability scanner, Qualys, FIM, File integrity monitoring, adaptive application controls, adaptive network hardening, docker, fileless attack detection, auditd, simulate alerts
+      displayName: VM, JIT, plan 1, plan 2, plans, vulnerability assessment, threat management, defender for endpoint, vulnerability scanner, Qualys, FIM, File Integrity Monitoring, adaptive application controls, adaptive network hardening, docker, fileless attack detection, auditd, simulate alerts
       href: defender-for-servers-introduction.md
     - name: Apply Azure security baselines
       displayName: VM, guest configuration, vulnerabilities, ASB, benchmark
@@ -255,9 +255,12 @@
       - name: Overview
         displayName: fim, change
         href: file-integrity-monitoring-overview.md
-      - name: Compare baselines using file integrity monitoring
+      - name: Enable File Integrity Monitor with the Log Analytics agent
         displayName: fim, change
-        href: file-integrity-monitoring-usage.md
+        href: file-integrity-monitoring-enable-log-analytics.md
+      - name: Enable File Integrity Monitor with the Azure Monitor Agent
+        displayName: fim, change
+        href: file-integrity-monitoring-enable-ama.md
     - name: Improve your network security posture
       displayName: anh, adaptive network hardening
       href: adaptive-network-hardening.md

articles/defender-for-cloud/auto-deploy-azure-monitoring-agent.md

@@ -125,3 +125,4 @@ Now that you enabled the Azure Monitor Agent, check out the features that are su
 - [Endpoint protection assessment](endpoint-protection-recommendations-technical.md)
 - [Adaptive application controls](adaptive-application-controls.md)
 - [Fileless attack detection](defender-for-servers-introduction.md#plan-features)
+- [File Integrity Monitoring](file-integrity-monitoring-enable-ama.md)

articles/defender-for-cloud/defender-for-cloud-introduction.md

@@ -75,7 +75,7 @@ For example, if you've [connected an Amazon Web Services (AWS) account](quicksta
 
 - **Defender for Cloud's CSPM features** extend to your AWS resources. This agentless plan assesses your AWS resources according to AWS-specific security recommendations and these are included in your secure score. The resources will also be assessed for compliance with built-in standards specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices). Defender for Cloud's [asset inventory page](asset-inventory.md) is a multicloud enabled feature helping you manage your AWS resources alongside your Azure resources.
 - **Microsoft Defender for Kubernetes** extends its container threat detection and advanced defenses to your **Amazon EKS Linux clusters**.
-- **Microsoft Defender for Servers** brings threat detection and advanced defenses to your Windows and Linux EC2 instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.
+- **Microsoft Defender for Servers** brings threat detection and advanced defenses to your Windows and Linux EC2 instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), File Integrity Monitoring (FIM), and more.
 
 Learn more about connecting your [AWS](quickstart-onboard-aws.md) and [GCP](quickstart-onboard-gcp.md) accounts to Microsoft Defender for Cloud.
 

articles/defender-for-cloud/defender-for-servers-introduction.md

@@ -43,7 +43,7 @@ The following table summarizes what's included in each plan.
 | **Log Analytics 500 MB free data ingestion** | Defender for Cloud leverages Azure Monitor to collect data from Azure VMs and servers, using the Log Analytics agent. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |
 | **Threat detection** | Defender for Cloud detects threats at the OS level, network layer, and control plane. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |
 | **Adaptive application controls (AAC)** | [AACs](adaptive-application-controls.md) in Defender for Cloud define allowlists of known safe applications for machines.  | |:::image type="icon" source="./media/icons/yes-icon.png"::: |
-| **File integrity monitoring (FIM)** | [FIM](file-integrity-monitoring-overview.md) (change monitoring) examines files and registries for changes that might indicate an attack. A comparison method is used to determine whether suspicious modifications have been made to files. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |
+| **File Integrity Monitoring (FIM)** | [FIM](file-integrity-monitoring-overview.md) (change monitoring) examines files and registries for changes that might indicate an attack. A comparison method is used to determine whether suspicious modifications have been made to files. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |
 | **Just-in-time VM access for management ports** | Defender for Cloud provides [JIT access](just-in-time-access-overview.md), locking down machine ports to reduce the machine's attack surface.| | :::image type="icon" source="./media/icons/yes-icon.png"::: |
 | **Adaptive network hardening** | Filtering traffic to and from resources with network security groups (NSG) improves your network security posture. You can further improve security by [hardening the NSG rules](adaptive-network-hardening.md) based on actual traffic patterns. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |
 | **Docker host hardening** | Defender for Cloud assesses containers hosted on Linux machines running Docker containers, and compares them with the Center for Internet Security (CIS) Docker Benchmark. [Learn more](harden-docker-hosts.md). | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

articles/defender-for-cloud/file-integrity-monitoring-enable-ama.md

@@ -0,0 +1,110 @@
+---
+title: Enable File Integrity Monitoring (Azure Monitor Agent)
+description: Learn how to enable File Integrity Monitor when you collect data with the Azure Monitor Agent (AMA)
+author: bmansheim
+ms.author: benmansheim
+ms.topic: how-to
+ms.date: 09/04/2022
+---
+# Enable File Integrity Monitoring when using the Azure Monitor Agent
+
+To provide [File Integrity Monitoring (FIM)](file-integrity-monitoring-overview.md), the Azure Monitor Agent (AMA) collects data from machines according to [Data Collection Rules](../azure-monitor/essentials/data-collection-rule-overview.md). When the current state of your system files is compared with the state during the previous scan, FIM notifies you about suspicious modifications.
+
+FIM uses the Azure Change Tracking solution to track and identify changes in your environment. When File Integrity Monitoring is enabled, you have a **Change Tracking** resource of type **Solution**. Learn about [data collection for Change Tracking](../automation/change-tracking/overview.md#change-tracking-and-inventory-data-collection).
+
+File Integrity Monitoring with the Azure Monitor Agent offers:
+
+- **Compatibility with the unified monitoring agent** - Compatible with the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) that enhances security, reliability, and facilitates multi-homing experience to store data.
+- **Compatibility with tracking tool**- Compatible with the Change tracking (CT) extension deployed through the Azure Policy on the client's virtual machine. You can switch to Azure Monitor Agent (AMA), and then the CT extension pushes the software, files, and registry to AMA.
+- **Simplified onboarding**- You can [onboard FIM](#enable-file-integrity-monitoring-with-ama) from Microsoft Defender for Cloud.
+- **Multi-homing experience** – Provides standardization of management from one central workspace. You can [transition from Log Analytics (LA) to AMA](../azure-monitor/agents/azure-monitor-agent-migration.md) so that all VMs point to a single workspace for data collection and maintenance.
+- **Rules management** – Uses [Data Collection Rules](https://azure.microsoft.com/updates/azure-monitor-agent-and-data-collection-rules-public-preview/) to configure or customize various aspects of data collection. For example, you can change the frequency of file collection.
+
+> [!NOTE]
+> If you [remove the **Change Tracking** resource](../automation/change-tracking/remove-feature.md#remove-changetracking-solution), you will also disable the File Integrity Monitoring in Defender for Cloud.
+
+## Availability
+
+|Aspect|Details|
+|----|:----|
+|Release state:|Preview|
+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#defender-for-servers-plans)|
+|Required roles and permissions:|**Owner**<br>**Contributor**|
+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds - Supported only in regions: `australiaeast`, `australiasoutheast`, `canadacentral`, `centralindia`, `centralus`, `eastasia`, `eastus2euap`, `eastus`, `eastus2`, `francecentral`, `japaneast`, `koreacentral`, `northcentralus`, `northeurope`, `southcentralus`, `southeastasia`, `switzerlandnorth`, `uksouth`, `westcentralus`, `westeurope`, `westus`, `westus2`<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: [Azure Arc](../azure-arc/servers/overview.md) enabled devices.<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected GCP accounts|
+
+## Prerequisites
+
+To track changes to your files on machines with AMA:
+
+- Enable [Defender for Servers Plan 2](defender-for-servers-introduction.md)
+
+- [Install AMA](auto-deploy-azure-monitoring-agent.md) on machines that you want to monitor
+
+## Enable File Integrity Monitoring with AMA
+
+To enable File Integrity Monitoring (FIM):
+
+1. Use the FIM recommendation to select machines for file integrity monitoring:
+    1. From Defender for Cloud's sidebar, open the **Recommendations** page.
+    1. Select the recommendation [File integrity monitoring should be enabled on machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/9b7d740f-c271-4bfd-88fb-515680c33440). Learn more about [Defender for Cloud recommendations](review-security-recommendations.md).
+    1. Select the machines that you want to use File Integrity Monitoring on, select **Fix**, and select **Fix X resources**.
+
+    The recommendation fix:
+
+    - Installs the `ChangeTracking-Windows` or `ChangeTracking-Linux` extension on the machines.
+    - Generates a data collection rule (DCR) for the subscription, named `Microsoft-ChangeTracking-[subscriptionId]-default-dcr`, that defines what files and registries should be monitored based on default settings. The fix attaches the DCR to all machines in the subscription that have AMA installed and FIM enabled.
+    - Creates a new Log Analytics workspace with the naming convention `defaultWorkspace-[subscriptionId]-fim` and with the default workspace settings.
+
+    You can update the DCR and Log Analytics workspace settings later.
+
+1. From Defender for Cloud's sidebar, go to **Workload protections** > **File integrity monitoring**, and select the banner to show the results for machines with Azure Monitor Agent.
+
+    :::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-banner.png" alt-text="Screenshot of banner in File integrity monitoring to show the results for machines with Azure Monitor Agent.":::
+
+1. The machines with File Integrity Monitoring enabled are shown.
+
+    :::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-results.png" alt-text="Screenshot of File integrity monitoring results for machines with Azure Monitor Agent." lightbox="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-results.png":::
+
+    You can see the number of changes that were made to the tracked files, and you can select **View changes** to see the changes made to the tracked files on that machine.
+
+## Edit the list of tracked files and registry keys
+
+File Integrity Monitoring (FIM) for machines with Azure Monitor Agent uses [Data Collection Rules (DCRs)](../azure-monitor/essentials/data-collection-rule-overview.md) to define the list of files and registry keys to track. Each subscription has a DCR for the machines in that subscription.
+
+FIM creates DCRs with a default configuration of tracked files and registry keys. You can edit the DCRs to add, remove, or update the list of files and registries that are tracked by FIM.
+
+To edit the list of tracked files and registries:
+
+1. In File integrity monitoring, select **Data collection rules**.
+
+    You can see each of the rules that were created for the subscriptions that you have access to.
+
+1. Select the DCR that you want to update for a subscription.
+
+    Each file in the list of Windows registry keys, Windows files, and Linux files contains a definition for a file or registry key, including name, path, and other options. You can also set **Enabled** to **False** to untrack the file or registry key without removing the definition.
+    
+    Learn more about [system file and registry key definitions](../automation/change-tracking/manage-change-tracking.md#track-files).
+    
+1. Select a file, and then add or edit the file or registry key definition.
+
+1. Select **Add** to save the changes.
+
+## Exclude machines from File Integrity Monitoring
+
+Every machine in the subscription that is attached to the DCR is monitored. You can detach a machine from the DCR so that the files and registry keys aren't tracked.
+
+To exclude a machine from File Integrity Monitoring:
+
+- In the list of monitored machines in the FIM results, select the menu (**...**) for the machine and select **Detach data collection rule**.
+
+:::image type="content" source="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-detach-rule.png" alt-text="Screenshot of the option to detach a machine from a data collection rule and exclude the machines from File Integrity Monitoring." lightbox="media/file-integrity-monitoring-enable-ama/file-integrity-monitoring-azure-monitoring-agent-detach-rule.png":::
+
+The machine moves to the list of unmonitored machines, and file changes aren't tracked for that machine anymore.
+
+## Next steps
+
+Learn more about Defender for Cloud in:
+
+- [Setting security policies](tutorial-security-policy.md) - Learn how to configure security policies for your Azure subscriptions and resource groups.
+- [Managing security recommendations](review-security-recommendations.md) - Learn how recommendations help you protect your Azure resources.
+- [Azure Security blog](https://azure.microsoft.com/blog/topics/security/) - Get the latest Azure security news and information.