Integrity Monitor overview
With Integrity Monitor, you can simplify regulatory compliance for your enterprise by consolidating tools and accomplish the following:
Continuously monitor critical operating system (OS), application, and log files.
- With uninterrupted, real-time integrity monitoring, you are not limited by a set schedule.
- Avoid the complexity of deploying several point tools and tuning them for individual endpoints.
- Continuously monitor Windows registry paths.
- Go from alert to active investigation using other modules on the Tanium platform.
- Deploy continuous monitoring for common or new attack vectors to any dynamic group of computers or across the enterprise. By leveraging Tanium™ Connect, integrate with existing change management and incident response systems to scale integrity monitoring.
Using Integrity Monitor, you specify files, directories, or Windows registry paths that you want to watch for changes in watchlists, and then you define how those watchlists are deployed to endpoints using monitors. After you create and deploy monitors, Integrity Monitor records events on the included endpoints.
You can label events to mark actions that need to be taken on those events. You can also create rules that automatically label events, which can help you readily identify events of concern.
Integrity Monitor 2.4 and later includes the capability to use labels that are stored on endpoints, known as enhanced labeling. This allows labels to be available from Integrity Monitor sensors across the Tanium platform and to be combined with other data, which allows you to use labels in filters. For example, when using enhanced labeling, you can ask the question Get Computer Name and Integrity Monitor File Events Details contains Label Important in Tanium Interact to retrieve only file events with the label Important. Additionally, the sensors Integrity Monitor Labeled File Events Details, Integrity Monitor Unlabeled File Events Overview, and Integrity Monitor Unlabeled File Events Details are available when using enhanced labeling. For more information, see Working with events.
When all events are appropriately labeled, you can filter for only unlabeled events, which might represent unexpected or unauthorized changes, depending on your environment.
Enhanced labeling also lets you integrate with ServiceNow change management.
Currently, when you use enhanced labeling, the following restrictions apply:
- You cannot manually add labels to events.
- You cannot add notes to labeled events.
- You cannot view and manage event labels in the Integrity Monitor File Events Overview.
- Reports are unavailable.
- Label history is unavailable.
Enhanced labels are shown in text format as normal sensor output, whereas legacy labels were shown graphically with colored boxes. This change allows ordering and filtering based on label names, just as with any Tanium sensor output.
With legacy labeling, labels are stored on the Tanium Module Server, and they are available only within Integrity Monitor.
Enhanced labeling is available only for monitors for Windows and Linux Endpoints. Monitors for AIX and Solaris endpoints must use legacy labeling.
When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow, which lets you determine which events are authorized and filter out events within authorized change windows.
Integrity Monitor has built in integration with Tanium™ Trends for additional reporting of related data.
By default, Integrity Monitor features Trends boards that provide data visualization of Integrity Monitor concepts.
Displays the health statuses of deployed monitors and the versions of Integrity Monitor tools installed on endpoints.
Displays the most frequent change types for events, file or registry paths with the most change events, and users with the most change events.
Displays the percentages of endpoints that are currently monitored (grouped by operating system), the breakdown of deployed monitors by operating system, and the breakdown of watchlists in use by path style.
For more information about how to import the Trends boards that are provided by Integrity Monitor, see Tanium Trends User Guide: Importing the initial gallery.
This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium.
Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights.
Tanium is committed to the highest accessibility standards to make interaction with Tanium software more intuitive and to accelerate the time to success. For more information, see Tanium Product Accessibility.
Last updated: 5/22/2020 9:24 PM | Feedback