For some time a number of people and companies have been using OSSEC for that job. [1] There are a couple versions of it free open source and enterprise. There are a handful of other programs that also keep an eye on checksums.

If tinkering with OSSEC one of the first steps should be to configure whitelisting for IP ranges and CIDR blocks used by your company, SNAT addresses and bastion IP's so that someone does not lock everyone out. It does a lot more than checksums.

[1] - https://www.ossec.net/