Working with monitors
Use monitors to deploy watchlists to endpoints for continuous recording of file and registry events.
Since monitors are deployed to specific computer groups, configure one monitor per computer group, and be specific in selecting the watchlists for that computer group.
- Select Monitors from the Integrity Monitor menu.
- On the Monitors page, click Create a New Monitor.
In the Details section on the Create Monitor page, enter a Name and Description for the new monitor.
Name the monitor based on the operating system, business unit, and/or application group you want to monitor.
- In the Targeting section, select the Operating System. If you selected Windows or Linux, configure the following additional settings:
Select a Labeling Method. See Legacy labeling and enhanced labeling for details on these options.
If you select Enhanced Labeling when creating a monitor, you cannot later change the monitor to use legacy labeling.
Select each appropriate Monitoring Method. For more details on these options, see Monitoring methods for Windows and Linux endpoints.
Select both monitoring methods. For more information, see Monitoring methods for Windows and Linux endpoints.
Select Computer Groups from the drop-down list. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.
Manual computer groups are not supported in Integrity Monitor.
Be specific when defining computer groups for Integrity Monitor targeting. Monitor prioritization is used when computer groups overlap, but having specific non-overlapping computer groups for monitors results in a more predictable deployment.
If you are creating a monitor for Windows endpoints, and the watchlist you plan to use includes registry paths, you must select Install Tanium Driver. The Tanium Event Recorder Driver is required to record registry events in Windows.
When the Tanium Driver is first installed with a monitor deployment, Windows registry events are not recorded until targeted endpoints are rebooted. File events are recorded regardless of whether the Tanium Driver is installed, and file event recording functions normally before endpoints are rebooted.
- In the Watchlists section, select one or more watchlists. Only watchlists for the operating system you selected are shown.
- Click Create. Your new monitor and associated details are shown.
If you select Windows or Linux for the Operating System, select Event Monitoring, Hash Monitoring, or both.
You must use event monitoring to monitor Windows registry events.
Use Event Monitoring to monitor change events, such as create, write, delete, or rename, in real-time on files or Windows registry values in the specified watchlist. Event Monitoring can distinguish between similar types of changes, such as a rename versus a write and delete. This method also provides more information about a change, such as the associated user or process path. If you use Event Monitoring for Linux endpoints, you must configure the advanced settings for Maximum Endpoint Database Size, Auditd Raw Logging, and the CPU Kill Switch Threshold.
Use Hash Monitoring to monitor changes to the file hash or metadata at regular intervals in the specified watchlist. Hash Monitoring is required in some environments. An advantage to this method is that the file integrity can be verified even if a change event is missed. Auditd is not used with Hash Monitoring on Linux endpoints.
Use both monitoring methods. When you use both Event Monitoring and Hash Monitoring), you still see changes to files and registry values from Hash Monitoring even if the event recorder is down, and Event Monitoring provides the user and process path for events. Selecting both monitoring methods also avoids reporting events that indicate a change from the operating system but have no content or hash change.
Advanced settings for Linux endpoints
These settings apply only to Linux endpoints that use Client Recorder Extension 1.0. For more information about Client Recorder Extension and Integrity Monitor versions, see Upgrading to Integrity Monitor 2.0.
If you are creating an event monitor for Linux endpoints, expand the Advanced Settings section and configure the following settings:
Set the Maximum Endpoint Database Size. The default value for this field is 1024.
If you use Tanium™ Trace, and there is a different Maximum Endpoint Database Size set in Trace, the larger setting takes effect. To avoid this scenario, it is best to set the same size in both Integrity Monitor and Trace.
Choose one of the following settings for Auditd Raw Logging:
- Disable raw logging on endpoints: disables writing logs to disk. Use this setting for improved event throughput and lower CPU usage. Be sure that you do not have other, non-Tanium processes that depend on reading raw audit logs.
- Enable raw logging on endpoints: writes the raw logs to disk. This setting increases the audit log volume on the endpoint.
- Do not change the logging settings on endpoints: audit log settings remain as-is on the endpoint.
If you use Trace, and have different settings for Enable Auditd Raw Logging in Trace, the Trace setting takes effect. To avoid this conflict, it is best to use the same setting in both Integrity Monitor and Trace.
- You can enable and define the CPU Kill Switch Threshold. This value specifies the percent threshold for the CPU utilization kill switch for the recorder on endpoints using this monitor. If the CPU utilization of the recorder exceeds this value, the recorder stops. The default value for this field is 25%.
Prioritize monitors when two or more monitors include the same endpoint(s) in the computer groups for each monitor. In the case of such a conflict, the highest priority monitor is the one that is deployed to that endpoint.
To prioritize monitors
- On the Monitors page, click Prioritize.
- The monitors appear in the Prioritize Monitors window. Drag monitors into the order you want to prioritize them.
- Click Cancel to go back to the original order of priority. Click Save to save your changes.
- When you re-prioritize monitors, the Deploy Monitors button appears again. Click Deploy Monitors to redeploy monitors in the new prioritized order.
- After you create a monitor, click Deploy Monitors to see results.
- In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors are deployed.
When you deploy a monitor, you deploy all monitors. When you take an action on monitors (such as creating, modifying, or reprioritizing monitors) you are prompted to deploy all monitors. For best results, create all planned monitors and then deploy them all at once.
Monitors are automatically redeployed when the Integrity Monitor module is upgraded in TaaS, which could occur without prior notice. If you have not yet deployed a newly created monitor, it is automatically deployed if the module is upgraded before you manually deploy it.
Deploying a monitor that uses legacy labeling to an endpoint to which a monitor that uses enhanced labeling has previously been deployed is not supported. Migration is intended to occur only from legacy labeling to enhanced labeling. As a best practice, avoid this condition when reprioritizing monitors or modifying and redeploying monitors. Deploying legacy labeling to an endpoint that is using enhanced labeling due to a previous deployment might require removal and redeployment of Integrity Monitor tools on endpoints. For more information about removing Integrity Monitor tools, see Remove Integrity Monitor tools from endpoints, and consult your Technical Account Manager (TAM) for information about best practices.
Use the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in Interact to check the status of the deployed monitor on endpoints.
Refer to Reference: Endpoint monitoring status errors if you receive error messages when checking the status of the monitoring of endpoints using this sensor.
- When you click on a monitor on either the Integrity Monitor Home page or the Monitors page, you can edit that monitor by clicking Edit.
- After editing a monitor, a Changes Pending: Deploy Monitors to Endpoints banner displays on the Integrity Monitor Home page and NEEDS DEPLOYMENT displays next to the monitor on the Monitors page. Click Deploy Now on the Integrity Monitor Home page or Deploy Monitors on the Monitors page.
If you edit a monitor that currently uses legacy labeling to use enhanced labeling, you cannot change it back to legacy labeling, and any rules assigned to that monitor are also migrated to enhanced labeling.
In Integrity Monitor 2.4 or later, you can update monitors that use legacy labeling (which include any monitors that existed before an upgrade to Integrity Monitor 2.4 or later) to enhanced labeling. For more information about legacy labeling and enhanced labeling, see Legacy labeling and enhanced labeling.
If you update a monitor to use enhanced labeling, you cannot change it back to legacy labeling.
On the Monitors page, select the check box beside each monitor that you want to update from using legacy labeling to using enhanced labeling, and click Update Labeling.
- Acknowledge the information in the confirmation dialog to complete the update.
- After updating monitors, a Changes Pending: Deploy Monitors to Endpoints banner displays on the Integrity Monitor Home page and NEEDS DEPLOYMENT displays next to the monitor on the Monitors page. Click Deploy Now on the Integrity Monitor Home page or Deploy Monitors on the Monitors page.
- If any rules were assigned to the monitors you updated, those rules are also updated to use enhanced labeling. A Changes Pending: Deploy Rules to Endpoints banner displays on the Integrity Monitor Home page and NEEDS DEPLOYMENT displays next to the rule on the Rules page. Click Deploy Now on the Integrity Monitor Home page or Deploy Rules on the Rules page.
Due to differences in the functionality between legacy labeling and enhanced labeling, updating a monitor to enhanced labeling results in the following changes:
- Existing rules assigned to the monitor are also updated to use enhanced labeling.
- The Label History tab is removed, and the label history connector (if enabled) is removed.
- The Reports tab is removed.
- Manual labeling controls are removed.
- Any existing labels are removed from events. However, any migrated rules apply enhanced labels to new events as they are recorded.
Last updated: 7/7/2020 5:39 PM | Feedback