Best practices

Defining watchlists

Be specific when defining watchlists. For example, watching the C:\ or / directories of your endpoints will result in a lot of alarm activity just from normal operation. As a rule, follow these guidelines:

  • Add multiple specific file paths over a single directory path.
  • If you must add a directory path, review that directory path for things to exclude (log files, log directories, temp directories, etc.).
  • Keep your watchlists small and focused on specific items; having one watchlist for each application, software component, or system configuration area will help keep the system maintainable.
  • Build up your monitors using many small watchlists. Remember that your monitors are associated with computer groups. Build one monitor per computer group and be as specific as you can to define the relevant watchlists for that computer group.

Setting up computer groups

Be specific when defining computer groups for Integrity Monitor targeting. Monitor prioritization will be used when there is an overlap in the computer groups, but having specific non-overlapping computer groups for monitors will result in a more predictable deployment.

For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.