Installing Integrity Monitor

Use the Tanium Solutions page to install Integrity Monitor and choose either automatic or manual configuration:

  • Automatic configuration with default settings (Tanium Core Platform 7.4.2 or later only): Integrity Monitor is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For details about the automatic configuration for Integrity Monitor, see Import and configure Integrity Monitor with default settings.
  • Manual configuration with custom settings: After installing Integrity Monitor, you must manually configure required settings. Select this option only if Integrity Monitor requires settings that differ from the recommended default settings. For more information, see Import and configure Integrity Monitor with custom settings.

Before you begin

Import and configure Integrity Monitor with default settings

When you import Integrity Monitor with automatic configuration, the following default settings are configured:

  • The Integrity Monitor service account is set to the account that you used to import the module.
  • The Integrity Monitor action group is set to the computer group All Computers.
  • A watchlist is created for each supported operating system (Windows, Linux, Solaris, and AIX) based on the Critical System Files template for the operating system.
  • A monitor is created to deploy the watchlist for each supported operating system.

    The Windows monitor is targeted only to Windows Server computer groups: All Windows Server 2008 R2, All Windows Server 2012, All Windows Server 2012 R2, All Windows Server 2016, and All Windows Server 2019.

    All other monitors are targeted to the associated All <Operating System> computer group: All Linux, All Solaris, and All AIX.

    If one or more of the targeted operating systems are not used in your environment, delete the associated monitors.

  • Monitors are deployed to endpoints.

To import Integrity Monitor and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Integrity Monitor version.

Import and configure Integrity Monitor with custom settings

To import Integrity Monitor without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps in Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Integrity Monitor version.

Configure the Integrity Monitor service account

You must create and configure an Integrity Monitor service account to run several background processes, such as gathering endpoint statistics and sending labels to Connect. This user must have the following roles and access configured:

  • The Connect User role
  • The Integrity Monitor Administrator role
  • Access to monitored computer groups

For best results, grant the service account user access to the All Computers group for access to any endpoints assigned to monitors. Otherwise, every time you add a computer group to a monitor, you must assign that computer group to your service account for Integrity Monitor or you will encounter issues running configured rules.

  1. From the Integrity Monitor Home page, in the Configure Integrity Monitor section, click the Configure Service Account step and click Configure Service Account.
  2. Enter the User Name and Password for the service account user and click Save.

Set up watchlists

Create a watchlist to define a set of files and directories that you want to monitor for any changes. For more information, see Working with watchlists.

Set up monitors

Use monitors to deploy watchlists to endpoints for continuous recording of file events. For more information, see Working with monitors.

Deploy monitors

  1. After you create a monitor, click Deploy Monitors to see results.
  2. In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors are deployed.

When you deploy a monitor, you deploy all monitors. When you take an action on monitors (such as creating, modifying, or reprioritizing monitors) you will be prompted to deploy all monitors. For best results, create the monitors you know you need and then deploy them all at once.

Set up rules

Create rules to automatically label events based on attributes of the event itself. You can use these labels to differentiate between planned, expected, and suspicious changes in your event stream and align with change windows. For more information, see Working with rules.

Upgrade Integrity Monitor

For the steps to upgrade Integrity Monitor, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Integrity Monitor version.

Read the release notes for a particular version before you upgrade Integrity Monitor.

As a best practice, perform some basic tests in Integrity Monitor before and after the upgrade to ensure that all operations are working as expected.

After you upgrade Integrity Monitor, you must redeploy all monitors.

If you do not redeploy the monitors, the system might be left in a nonworking state.

Upgrading to Integrity Monitor 2.0 and later

Integrity Monitor 2.0 and later includes an upgrade to Client Recorder Extension 2.0, commonly referred to as the recorder. Recorder 2.0 includes significant improvements to performance and interoperability between modules that use the recorder (Integrity Monitor, Tanium™ Threat Response, and Tanium™ Map).

This upgrade does not require you to update all three modules at the same time, but conditional logic is applied to determine whether to upgrade the recorder component from version 1.x to 2.0 when more than one of these modules is deployed to an endpoint. The recorder updates on an endpoint as follows:

  • If Integrity Monitor is the only module installed that uses the recorder, the endpoint updates to the new recorder when you upgrade to Integrity Monitor 2.0 or later.
  • If Threat Response 1.4.2 or earlier is installed along with Integrity Monitor 2.0 or later, the previous version of the recorder is used on the endpoint until you upgrade to Threat Response 2.0 or later.
  • If Map 1.2.2 or earlier is installed along with Integrity Monitor 2.0 or later and Threat Response 2.0 or later, the endpoint updates to the new recorder. Map will not function as expected until you upgrade to Map 2.0.

Verify Integrity Monitor version

After you import or upgrade Integrity Monitor, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Integrity Monitor to open the Integrity Monitor Home page.
  3. To display version information, click Info Info.

What to do next

See Getting started for more information about using Integrity Monitor.