Installing Integrity Monitor

Tanium as a Service automatically handles module installations and upgrades.

Use the Tanium Solutions page to install Integrity Monitor and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Integrity Monitor is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Integrity Monitor, see Import and configure Integrity Monitor with default settings.
  • Manual configuration with custom settings: After installing Integrity Monitor, you must manually configure required settings. Select this option only if Integrity Monitor requires settings that differ from the recommended default settings. For more information, see Import and configure Integrity Monitor with custom settings.

Before you begin

Import and configure Integrity Monitor with default settings

When you import Integrity Monitor with automatic configuration, the following default settings are configured:

  • The Integrity Monitor service account is set to the account that you used to import the module.
  • The Integrity Monitor action group is set to the computer group All Computers.
  • A watchlist is created for each supported operating system (Windows, Linux, AIX, and Solaris) based on the Critical System Files template for the operating system.
  • A monitor is created to deploy the watchlist for each supported operating system.

    The Windows monitor is targeted only to Windows Server computer groups: All Windows Server 2008 R2, All Windows Server 2012, All Windows Server 2012 R2, All Windows Server 2016, and All Windows Server 2019.

    All other monitors are targeted to the associated All <Operating System> computer group: All Linux, All AIX, and All Solaris.

    If one or more of the targeted operating systems are not used in your environment, delete the associated monitors.

  • Monitors are deployed to endpoints.

To import Integrity Monitor and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Integrity Monitor version.

Import and configure Integrity Monitor with custom settings

To import Integrity Monitor without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Integrity Monitor version.

Configure the Integrity Monitor service account

You must create and configure an Integrity Monitor service account to run several background processes, such as gathering endpoint statistics and sending labels to Connect. This user must have the following roles and access configured:

  • The Connect User role
  • The Integrity Monitor Administrator role
  • Access to monitored computer groups

For best results, grant the service account user access to the All Computers group for access to any endpoints assigned to monitors. Otherwise, every time you add a computer group to a monitor, you must assign that computer group to your service account for Integrity Monitor or you will encounter issues running configured rules.

  1. From the Integrity Monitor Home page, in the Configure Integrity Monitor section, click the Configure Service Account step and click Configure Service Account.
  2. Enter the User Name and Password for the service account user and click Save.

Set up watchlists

Create a watchlist to define a set of files, directories, and Windows registry paths that you want to monitor for any changes. For more information, see Working with watchlists.

Set up monitors

Use monitors to deploy watchlists to endpoints for continuous recording of file and registry events. For more information, see Working with monitors.

Deploy monitors

  1. After you create a monitor, click Deploy Monitors to see results.
  2. In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors are deployed.

When you deploy a monitor, you deploy all monitors. When you take an action on monitors (such as creating, modifying, or reprioritizing monitors) you are prompted to deploy all monitors. For best results, create all planned monitors and then deploy them all at once.

Monitors are automatically redeployed when the Integrity Monitor module is upgraded in TaaS, which could occur without prior notice. If you have not yet deployed a newly created monitor, it is automatically deployed if the module is upgraded before you manually deploy it.

Deploying a monitor that uses legacy labeling to an endpoint to which a monitor that uses enhanced labeling has previously been deployed is not supported. Migration is intended to occur only from legacy labeling to enhanced labeling. As a best practice, avoid this condition when reprioritizing monitors or modifying and redeploying monitors. Deploying legacy labeling to an endpoint that is using enhanced labeling due to a previous deployment might require removal and redeployment of Integrity Monitor tools on endpoints. For more information about removing Integrity Monitor tools, see Remove Integrity Monitor tools from endpoints, and consult your Technical Account Manager (TAM) for information about best practices.

Set up rules

Create rules to automatically label events based on attributes of the event itself. You can use these labels to differentiate between planned, expected, and suspicious changes in your event stream and align with change windows. For more information, see Working with rules.

Deploy rules (enhanced labeling)

When you are using enhanced labeling, rules are deployed to endpoints in order to apply labels to events directly on endpoints. Thus, rules for monitors that use enhanced labeling must be deployed after creation or modification. For more information, see Working with rules.

Upgrade Integrity Monitor

For the steps to upgrade Integrity Monitor, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Integrity Monitor version.

Read the release notes for a particular version before you upgrade Integrity Monitor.

As a best practice, perform some basic tests in Integrity Monitor before and after the upgrade to ensure that all operations are working as expected.

Redeploy monitors

After you upgrade Integrity Monitor, all monitors and rules must be redeployed. You can configure Integrity Monitor to automatically redeploy monitors and rules after an upgrade, or you must manually redeploy monitors and rules.

If you do not redeploy the monitors and rules, the system might be left in a nonworking state.

Configure automatic redeployment of monitors

  1. Click Settings at the top right of the Integrity Monitor Home page.
  2. Click the General Settings tab.
  3. Select Automatically deploy monitors and rules when upgrading the module.

If you upgrade from a version earlier than 2.6, this setting is not enabled by default. It is enabled by default for new installations of Integrity Monitor 2.6 or later.

Upgrading to Integrity Monitor 2.0 and later

Integrity Monitor 2.0 and later includes an upgrade to Client Recorder Extension 2.0 or later, commonly referred to as the recorder. Recorder 2.0 and later includes significant improvements to performance and interoperability between modules that use the recorder (Integrity Monitor, Tanium™ Threat Response, and Tanium™ Map).

This upgrade does not require you to update all three modules at the same time, but conditional logic is applied to determine whether to upgrade the recorder component from version 1.x to 2.x when more than one of these modules is deployed to an endpoint. The recorder updates on an endpoint as follows:

  • If Integrity Monitor is the only module installed that uses the recorder, the endpoint updates to the new recorder when you upgrade to Integrity Monitor 2.0 or later.
  • If Threat Response 1.4.2 or earlier is installed along with Integrity Monitor 2.0 or later, the previous version of the recorder is used on the endpoint until you upgrade to Threat Response 2.0 or later.
  • If Map 1.2.2 or earlier is installed along with Integrity Monitor 2.0 or later and Threat Response 2.0 or later, the endpoint updates to the new recorder. Map will not function as expected until you upgrade to Map 2.0.

Integrity Monitor 2.5 and later includes an upgrade to Recorder 2.2 or later. Recorder 2.2 or later is required for Windows registry monitoring.

Upgrading to Integrity Monitor 2.4 and later

Integrity Monitor 2.4 and later includes the capability to use labels that are stored on endpoints, known as enhanced labeling. (For more information, see Legacy labeling and enhanced labeling.) To support this functionality, when you upgrade to Integrity 2.4 or later, all existing labels will become global labels. Any user-defined custom labels that are currently assigned to specific monitors will be migrated to a matching global label. Any custom labels that have conflicting names will be merged into a single global label.

After upgrading, you can update individual monitors from legacy labeling to enhanced labeling. For information about performing this update, see Update monitors from legacy labeling to enhanced labeling.

Verify Integrity Monitor version

After you import or upgrade Integrity Monitor, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Modules > Integrity Monitor to open the Integrity Monitor Home page.
  3. To display version information, click Info Info.