Configuring Integrity Monitor

If you did not install Integrity Monitor with the Apply All Tanium recommended configurations option, you must enable and configure certain features.

Prepare Endpoints

(Windows) Configure permission recording

To monitor changes in file permissions, you must configure the Audit File System permission under Local Security Policy on the endpoint.

Endpoints that do not have this permission configured return Recorder - Error: File permission auditing is disabled when you ask a question using the Client Extensions - Status sensor, and they appear in the Endpoint Health panel on the Integrity Monitor Overview page.

To configure the Audit File System permission, complete the following steps. (These steps apply to Windows 10 and might vary for different versions of Windows.)

1. From the Control Panel, open Administrative Tools > Local Security Policy.
2. Go to Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access.
3. Double-click Audit File System.
4. Select Configure the following audit events: and then select Success.
5. Click OK.

When you enable the Permission change type for a path in a watchlist, Integrity Monitor automatically configures the appropriate System Access Control List (SACL) audit settings for every file and folder in that path for that watchlist.

Remove legacy Client Recorder Extension

If Client Recorder Extension version 1.x exists on a targeted endpoint, you must remove it before you install Client Recorder Extension version 2.x tools. To target endpoints where Client Recorder Extension version 1.x exists, ask the question: Recorder - Legacy Installed. If the Supported Endpoints column displays Yes, you must remove Client Recorder Extension version 1.x from the endpoint before you install Client Recorder Extension 2.x tools. To remove Client Recorder Extension version 1.x, deploy the Recorder - Remove Legacy Recorder [Operating System] package to targeted endpoints.

Install and configure Configure Tanium Endpoint Configuration

Manage solution configurations with Tanium Endpoint Configuration

Tanium Endpoint Configuration delivers configuration information and required tools for Tanium Solutions to endpoints. Endpoint Configuration consolidates the configuration actions that traditionally accompany additional Tanium functionality and eliminates the potential for timing errors that occur between when a solution configuration is made and the time that configuration reaches an endpoint. Managing configuration in this way greatly reduces the time to install, configure, and use Tanium functionality, and improves the flexibility to target specific configurations to groups of endpoints.

For solutions to Solutions cannot perform configuration changes or tool deployment through Endpoint Configuration on endpoints with action locks turned on, you must enable the Manifest Package Ignore Action Lock and Deploy Client Configuration and Support Package Ignore Action Lock settings. To access these settings, from the Endpoint Configuration Overview page, click Settings and select Global. on. As a best practice, do not turn on action locks. For more information about action locks, see Tanium Console User Guide: Managing action locks.

For more information about Endpoint Configuration, see Tanium Endpoint Configuration User Guide.

Configure Integrity Monitor

(Optional) Configure Automatic Deployment on Upgrade

Select Automatic Deployment on Upgrade to automatically deploy monitors, watchlists, and rules after an upgrade. Deployment of each monitor, watchlist, or rule uses the management rights of the last user to deploy the item, but does not use any of that user's persona rights, even if the user changed to a persona to deploy.

Review any tools, watchlists, and monitors deployed to endpoints before you select this option, especially if changes were made since the last deployment.

1. From the Integrity Monitor Overview page, click Settings .
2. Click the General Settings tab.
3. Select Automatically deploy monitors, watchlists, and rules when upgrading the module and click Save.

(Optional) Configure the Integrity Monitor action group

Importing the Integrity Monitor module automatically creates an action group to target specific endpoints. If you did not use automatic configuration or you enabled restricted targeting when you imported Integrity Monitor, the action group targets No Computers.

If you used automatic configuration and restricted targeting was disabled when you imported Integrity Monitor, configuring the Integrity Monitor action group is optional.

Select the computer groups to include in the Integrity Monitor action group.

Clear the selection for No Computers and make Make sure that all operating systems that are supported by Integrity Monitor are included in the Integrity Monitor action group.

1. From the Main menu, go to Administration > Actions > Action Groups.
2. Click Tanium Integrity Monitor.
3. Select the computer groups that you want to include in the action group and click Save.
   If you select multiple computer groups, choose an operator (AND or OR) to combine the groups.

Organize computer groups

You deploy watchlists and monitors by computer group. Target monitors as broadly as possible, and create more specific groups if you need different settings or intervals for scanning some endpoints. Create specific groups for watchlists, targeted more narrowly to watch only the necessary paths on the necessary endpoints.

When possible, avoid targeting different monitors to computer groups that contain some of the same endpoints. One monitor is deployed to each endpoint. You can prioritize monitors when computer groups overlap, but it is better to create non-overlapping computer groups to use with monitors for a more predictable deployment.

Create relevant computer groups to organize your endpoints for monitor and watchlist targeting. Some options include:

• Applications in use on an endpoint
• Endpoint type, such as servers with a specific function
• Endpoint compliance requirements, such as endpoints that must comply with Payment Card Industry Data Security Standard (PCI DSS) or the Sarbanes-Oxley Act (SOX)
• Endpoint location, such as by country or time zone
• Endpoint priority, such as business-critical machines
• Endpoint configuration needs, such as VDI machines

For more information, see Tanium Core Platform User Guide: Managing computer groups.

Set up Integrity Monitor users

You can use the following set of predefined user roles to set up Integrity Monitor users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

Integrity Monitor Operator

Assign the Integrity Monitor Operator role to users who manage most configuration and deployment of Integrity Monitor functionality to endpoints.
This role can perform the following tasks:

• Configure Integrity Monitor settings, templates, and labels
• Run and apply rules to events
• View, create, edit, and deploy monitors, rules, and watchlists
• Create, edit, and schedule integrations with IT workflows
• Delete labels and event labels

Integrity Monitor Author

Assign the Integrity Monitor Author role to users who manage monitors, rules, and labels in Integrity Monitor.

This role can perform the following tasks:

• View, create, and edit monitors, rules, and labels

• View Integrity Monitor events and settings

Integrity Monitor User

Assign the Integrity Monitor User role to users who manage event labels and rules in Integrity Monitor.
This role can perform the following tasks:

• View, create, and edit event labels and rules

• View Integrity Monitor monitors, events, labels, and settings

Integrity Monitor Read Only User

Assign the Integrity Monitor Read Only User role to users who need visibility into Integrity Monitor data.
This role can view Integrity Monitor Read Only User events, event labels, labels, monitors, rules, and settings.