Configuring monitors to deploy watchlists

Use monitors to deploy watchlists to endpoints for continuous recording of file and registry events. A monitor applies to one operating system but can be deployed to multiple computer groups.

Monitors are deployed to specific computer groups. Configure one monitor per computer group, and be specific in selecting the watchlists for that computer group.

Basic labeling and enhanced labeling

Integrity Monitor 2.4 and later includes the capability to use labels that are stored on endpoints, known as enhanced labeling. With enhanced labeling, labels are available from Integrity Monitor sensors across the Tanium platform. You can combine enhanced labels with other data to use labels in filters. For example, when using enhanced labeling, you can ask the question Get Computer Name and Integrity Monitor File Events Details contains Label Important in Taniumâ„¢ Interact to retrieve only file events with the label Important. Additionally, the sensors Integrity Monitor Labeled File Events Details, Integrity Monitor Unlabeled File Events Overview, and Integrity Monitor Unlabeled File Events Details are available when using enhanced labeling. For more information, see Viewing events.

When all events are appropriately labeled, you can filter for only unlabeled events, which typically represent unexpected changes.

Enhanced labeling enables integration with ServiceNow Change Management.

Enhanced monitors, labels, and rules are used with enhanced labeling, and basic monitors, labels, and rules are used with basic labeling.

When you use enhanced labeling, the following restrictions apply:

  • You cannot manually add labels to events.
  • You cannot add notes to labeled events.
  • You cannot modify event labels in the Integrity Monitor File Events Overview.
  • Traditional reports are unavailable. Instead, you can use saved questions in Connect to send events to reports and external destinations, which allows better filtering and more flexibility. For more information, see Send events from enhanced monitors.

Enhanced labels are shown in text format as normal sensor output, whereas basic labels were shown graphically with colored boxes. This change allows ordering and filtering based on label names, just as with any Tanium sensor output.

With basic labeling, labels are stored on the Tanium Module Serverin TaaS, and they are available only within Integrity Monitor.

Enhanced labeling is available to use only with monitors for Windows and Linux Endpoints. Monitors for AIX and Solaris endpoints must use basic labeling.

Monitoring methods

If you create a monitor with a Windows or Linux platform, you can choose Event Monitoring, Hash Monitoring, or both. Solaris and AIX endpoints use only hash monitoring.

You must use event monitoring to monitor Windows registry events.

Event monitoring

Use event monitoring to monitor change events for a specified watchlist, such as create, write, delete, or rename, in real time on files or Windows registry values. Event monitoring can distinguish between similar types of changes, such as a rename versus a write and delete. This method also provides more information about a change than hash monitoring, such as the associated user or process path.

Hash monitoring

Use hash monitoring to monitor changes to the file hash or metadata at regular intervals in the specified watchlist. Hash monitoring is required in some environments. An advantage to this method is that the file integrity can be verified even if a change event is missed. Auditd is not used with hash monitoring on Linux endpoints.

Use both monitoring methods. When you use both Event Monitoring and Hash Monitoring), you still see changes to files and registry values from hash monitoring even if there is an issue with the event recorder, and event monitoring provides the user and process path for events. Selecting both monitoring methods also prevents reporting events that indicate a change from the operating system but have no content or hash change.

Create a new monitor

  1. From the Integrity Monitor menu, go to Monitors > All Monitors. On the All Monitors page, click Create Monitor.
  2. In the Details section on the Create Monitor page, enter a Name and Description for the new monitor.

    Name the monitor based on the operating system, business unit, or application group you want to monitor.

  3. In the Deployment Criteria section, select the Platform. If you selected Windows or Linux, configure the following additional settings:
    1. For Labeling Method, select Enhanced Labeling or Basic Labeling. See Basic labeling and enhanced labeling for details on these options.

      If you select Enhanced Labeling when you create a monitor, you cannot later change the monitor to use basic labeling.

    2. Select the monitoring methods.

      Select both monitoring methods. For more information, see Monitoring methods.

    3. (Windows) If the watchlist you plan to use includes registry paths, you must select Install Tanium Driver. The Tanium Event Recorder Driver is required to record registry events on Windows endpoints.

      When the Tanium Driver is first installed with a monitor deployment, Windows registry events are not recorded until targeted endpoints are rebooted. File events are recorded regardless of whether the Tanium Driver is installed, and file event recording functions normally before endpoints are rebooted.

  4. In the Targeting section, click Select Computer Groups, select the computer groups to target, and click Save. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.

    Computer groups with manual membership are not supported in Integrity Monitor.

    Be specific when you define computer groups for Integrity Monitor targeting. One monitor is deployed to each endpoint. You can prioritize monitors when computer groups overlap, but it is better to use non-overlapping computer groups for monitors for a more predictable deployment.

  5. In the Watchlists section, select one or more watchlists. Only watchlists for the platform you selected are shown.

  6. Click Create.
  7. After you create a monitor, you must deploy all monitors. For more information, see Deploy monitors.

Prioritize monitors

One monitor is deployed to each endpoint. If an endpoint belongs to the assigned computer groups for two or more monitors, the monitor priority list determines which monitor is deployed to the endpoint.

Be specific when you define computer groups for Integrity Monitor targeting. One monitor is deployed to each endpoint. You can prioritize monitors when computer groups overlap, but it is better to use non-overlapping computer groups for monitors for a more predictable deployment.

  1. On the All Monitors page, click Prioritize.
  2. Drag monitors into the order you want to prioritize them, or click Move to Position in the row for a monitor you want to reorder, enter the new position, and click Move. After you have reordered the monitors, click Save.

  3. After you re-prioritize, you must deploy all monitors. For more information, see Deploy monitors.

Deploy monitors

After you create, edit, reprioritize, or delete monitors, you must deploy the monitors to the endpoints. A Deploy Now banner appears, and Pending Deployment (new monitors), Needs Deployment (changed monitors), or Pending Deletion (deleted monitors) appears in the Status column for the monitor on the All Monitors page and the Enhanced Monitors or Basic Monitors page, depending on which type of monitor you are editing.

If you have more than one monitor, all monitors (including both basic and enhanced) are deployed each time you deploy monitors.

When you deploy a monitor, you deploy all monitors. When you take an action on monitors (such as creating, modifying, or reprioritizing monitors) you are prompted to deploy all monitors. For best results, create all planned monitors and then deploy them a the same time.

  1. Click Deploy Now in the banner or Deploy All Monitors on the All Monitors, Enhanced Monitors, or Basic Monitors page.
  2. Confirm the deployment. If you have more than one monitor, all monitors are deployed.

If you have enabled Endpoint Configuration, monitor deployment must be approved in Endpoint Configuration before monitors are deployed to endpoints.

Monitors are automatically redeployed when the Integrity Monitor module is upgraded in TaaS, which could occur without prior notice. If you have not yet deployed a newly created monitor, it is automatically deployed if the module is upgraded before you manually deploy it.

Do not deploy a basic monitor to an endpoint that already has an enhanced monitor deployed. Migration is intended to occur only from basic labeling to enhanced labeling. Avoid this condition when reprioritizing monitors or modifying and redeploying monitors. If you deploy a basic monitor to an endpoint that is using an enhanced monitor because of a previous deployment, you might have to remove and redeploy of Integrity Monitor tools on endpoints. For more information about removing Integrity Monitor tools, see Remove Integrity Monitor tools from endpoints.

Check the status of deployed monitors

To check the status of deployed monitors on endpoints, ask the question: Get Integrity Monitor Endpoint Tools Status and Computer name from all machines.

For information about any error messages returned by the question, see Reference: Endpoint monitoring status errors.

Update basic monitors to enhanced monitors

In Integrity Monitor 2.4 or later, you You can update basic monitors (which include any monitors that existed before an upgrade to Integrity Monitor 2.4 or later) to enhanced monitors. If any rules are assigned to the monitors you update, the rules are also updated to enhanced rules. For more information about basic labeling and enhanced labeling, see Basic labeling and enhanced labeling.

Because of the differences in the functionality between basic labeling and enhanced labeling, updating a monitor to enhanced results in the following changes:

  • Existing rules assigned to the monitor are also updated to enhanced rules.
  • The Reports tab is removed.
  • Manual labeling controls are removed.
  • Any existing labels are removed from events. However, any migrated rules apply enhanced labels to new events as they are recorded.

After you update a monitor to use enhanced labeling, you cannot change it back to basic labeling.

  1. On the All Monitors or Basic Monitors page, select each monitor that you want to update from basic to enhanced, and click Update Labeling. Confirm the update.

  2. Deploy all monitors. For more information, see Deploy monitors.
  3. If any rules were updated, deploy all rules. For more information, see Deploy rules (enhanced labeling).