Microsoft Defender for Cloud FIM

The file integrity monitoring feature in Defender for Servers Plan 2, part of Microsoft Defender for Cloud, helps to keep enterprise assets and resources secure by scanning and analysing operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack. More information can be found at the official page for Microsoft Defender for Cloud FIM.

Integration Method: API

Tables: File System Activity (1001), Entity Management (3004)

This integration supports the following events.

This integration supports the following versions.

Note:

Log analytics doesn’t follow a traditional versioning system. Instead, it is a continuously updated cloud service. Please find more details here.

Prerequisites

• The user required at least Global Administrator privilege to create and manage application in azure cloud.

• The user should have access to the DataBee platform.

Configuration Overview

1. Create an application with required permissions to fetch the data.

2. Add Microsoft Defender for Cloud FIM in the DataBee console with the parameter below.

   DataBee Feed Parameter	Azure Parameter
   Workspace ID	Workspace ID
   Client Key	Application (Client) ID
   Client Secret	Client Secret
   Token URL(<tenant_id>)	Directory (tenant) ID

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privileges.

   In the search bar, search for App Registrations and select it.

   

2. On the “App registrations” page, click on New registration. The “Register an application” window will appear. 
    

3. On the “Register an application” window: 

1. Under ‘Name’ enter your application name then click on Register to create the application. 
    

2. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use. 
    

Add Endpoint Access

Once the application is created, appropriate permission should be provided to fetch data. The appropriate permission for the application is needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.   

Add Permissions

From the Azure Active Directory portal:

1. Select the application registered in the previous step.

2. Under Manage, click API Permissions and then click Add a Permission, the “Request API permissions” window will appear. Go to APIs my organization uses > Search for the “Log analytics API” and select the Log Analytics API.
    

3. Click on Log Analytics API then select Application Permissions as Permission type.

   Event	Type	Permission
   File Integrity Monitoring	Application	Data.Read

4. Click the Add permissions button after selecting all required permissions.
    

5. On the API permissions page,

   1. Click Grant Admin Consent for <tenant>.

   2. Click the Yes button on the consent confirmation.
       

6. The required permissions are now added for the endpoints. Overall permission looks like this and make sure that type is application for all.
    

Get Workspace ID

1. In the Azure console, search for Log Analytics workspaces and navigate there.
    

2. Identify and select the workspace where the file monitoring activity is stored and save the workspace ID.
    

Create the client secret

To create it from the Azure Portal:

1. Select the application created earlier. 

2. Under Manage, Click Certificates and Secrets, and then Client Secrets. 
     

3. Click New client secret. Then “Add a client secret” window appears. 
    

4. On “Add a client secret” window: 

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.  Select the maximum expiry from the drop list to avoid API interruption.

   2. Click on Add to create the client secret. 
       
      

      Note:

      The user needs to re-create the client secret when it expires

5. Save the Client Secret.
   
   

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Microsoft Defender for Cloud FIM and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, enter the following

   • Authentication Method: OAuth2

   • Client Key: Client ID found in the application overview page.

   • Client Secret: Client Secret generated for the application.

   • Token URL: update the Tenant ID found in the application overview page.

   • API Base URL: this is the base URL that DataBee will interact with.

   • Event Types: preselected for all the event types that integration pulls.

   • Workspace ID: provide Workspace ID for the application.

    

6. Click Submit.

Troubleshooting Tips

• Ensure the token is pasted correctly. Since you cannot view the token after the 1^st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure that the application has necessary permissions as mentioned in the document. 

• If we are not able to ingest logs make sure you have enabled file integrity monitoring in your system. Here are the steps to enable the file integrity monitoring Enable File Integrity.