Working with monitors
Use monitors to deploy watchlists to endpoints for continuous recording of file events using monitors.
- Select Monitors from the Integrity Monitor menu.
- On the Monitors page, click Create a New Monitor.
- In the Details section on the Create Monitor page, enter a Name and Description for the new monitor.
- In the Targeting section, select the Operating System and Monitoring Method. See Windows and Linux for details on these options.
- Select Computer Groups from the drop-down list. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.
- In the Watchlists section, select one or more watchlists. Only watchlists for the operating system you selected are shown.
- Click Create. Your new monitor and associated details are shown.
If you select a computer group that contains Windows endpoints with operating systems that do not match the operating system mode you selected (standard or legacy), then these endpoints will not be monitored.
If you select Windows for the Operating System, select Event Monitoring or Hash Monitoring.
Use Event Monitoring to monitor change events, such as create, write, delete, or rename, in real-time on files in the specified watchlist. Event Monitoring can distinguish between similar types of changes, such as a rename versus a write and delete. This method also provides more information about a change, such as the associated user or process path.
Use Hash Monitoring to monitor changes to the file hash or metadata at regular intervals in the specified watchlist. Hash Monitoring is required in some environments. An advantage to this method is that the file integrity can be verified even if a change event is missed.
If you select Linux for the Operating System, select Event Monitoring, Hash Monitoring, or both.
Use Event Monitoring to monitor change events, such as create, write, delete, or rename, in real-time on files in the specified watchlist. Event Monitoring can distinguish between similar types of changes, such as a rename versus a write and delete. This method also provides more information about a change, such as the associated user or process path. If you use Event Monitoring, you must configure the advanced settings for Maximum Endpoint Database Size, Auditd Raw Logging, and the CPU Kill Switch Threshold.
Use Hash Monitoring to monitor changes to the file hash or metadata at regular intervals in the specified watchlist. Hash Monitoring is required in some environments. An advantage to this method is that the file integrity can be verified even if a change event is missed. Auditd is not used with Hash Monitoring.
Selecting both Event Monitoring and Hash Monitoring
If you select this hybrid monitoring mode (both Event Monitoring and Hash Monitoring), you will still see changes to files from Hash Monitoring even when the event recorder is down. Hash Monitoring alone will not report the associated user or process path for an event. Selecting a hybrid monitoring mode will also avoid reporting events that indicate a change from the operating system but have no content or file hash change.
If you are creating an event monitor for Linux endpoints, expand the Advanced Settings section and configure the following settings:
Set the Maximum Endpoint Database Size. The default value for this field is 1024.
If you use Tanium™ Trace, and there is a different Maximum Endpoint Database Size set in Trace, the larger setting will take effect. To avoid this scenario, it is best to set the same size in both Integrity Monitor and Trace.
Choose one of the following settings for Auditd Raw Logging:
- Disable raw logging on endpoints: disables writing logs to disk. Use this setting for improved event throughput and lower CPU usage. Be sure that you do not have other, non-Tanium processes that depend on reading raw audit logs.
- Enable raw logging on endpoints: writes the raw logs to disk. This setting increases the audit log volume on the endpoint.
- Do not change the logging settings on endpoints: audit log settings remain as-is on the endpoint.
If you use Trace, and have different settings for Enable Auditd Raw Logging in Trace, the Trace setting will take effect. To avoid this conflict, it is best to use the same setting in both Integrity Monitor and Trace.
- You can enable and define the CPU Kill Switch Threshold. This value specifies the percent threshold for the CPU utilization kill switch for the recorder on endpoints using this monitor. If the CPU utilization of the recorder exceeds this value, the recorder will stop. The default value for this field is 25%.
Prioritize monitors when two or more monitors include the same endpoint(s) in the computer groups for each monitor. In the case of such a conflict, the highest priority monitor is the one that is deployed to that endpoint.
To prioritize monitors
- On the Monitors page, click Prioritize.
- The monitors will appear in the Prioritize Monitors window. Drag monitors into the order you want to prioritize them.
- Click Cancel to go back to the original order of priority. Click Save to save your changes.
- When you re-prioritize monitors, the Deploy Monitors button will appear again. Click Deploy Monitors to redeploy monitors in the new prioritized order.
- After you have created a monitor, click Deploy Monitors to see results.
- In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors will be deployed.
When you deploy a monitor, you deploy all monitors. Whenever you take an action on monitors (such as creating, modifying, re-prioritizing monitors) you will be prompted to deploy all monitors. It is a best practice to create the monitors you know you need and then deploy them at once.
Use the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in Tanium™ Interact to check the status of the deployed monitor on endpoints.
Refer to Troubleshooting if you receive error messages when checking the status of the monitoring of endpoints using this sensor.
- When you click on a monitor on either the Integrity Monitor home page or the Monitors page, you can edit that monitor by clicking Edit in the top right of the page.
- After editing a monitor, a Changes Pending: Deploy Monitors to Endpoints banner displays on the Integrity Monitor home page and NEEDS DEPLOYMENT displays next to the monitor on the Monitors page. Click Deploy Now on the Integrity Monitor home page or Deploy Monitors on the Monitors page.
Standard Windows and Windows (Legacy)
|Feature||Standard Windows||Legacy Windows|
|Real-time monitoring with Tanium Recorder|
|Interval hash based monitoring with Tanium Index|
|Records user and process path|
|Detects rename events|
|Event timestamp of actual change|
Integrity Monitor behaviors on Legacy Windows with Tanium Index
Integrity Monitor runs in platform-independent mode where it does not find file change events in real-time. It detects the changes to files the next time it performs a full-disk indexing scan. The time it takes to complete an indexing scan depends on how many files and directories are on the disk. When Index finishes a scan, it will sleep for the default time of one hour. If you wish to change this setting, consult with your TAM.
Integrity Monitor does not detect rename events in platform-independent mode. Rename events will show up as a file delete of the old name and a file create with the new name.
The timestamp of events in the results grid is the time that the file event was detected during the scan, not the time of the actual change.
Integrity Monitor does not record event user or process path.
Integrity Monitor causes the ExcludeFromIndexing setting in Index to be ignored. The ExcludeFromHashing setting in Index will work as expected.
See Tanium™ Incident Response User Guide: Customize Index endpoint settings for more information on the referenced Index settings.
AIX and Solaris
Legacy operating systems do not support real-time monitoring of file change events.
Last updated: 7/9/2019 12:28 PM | Feedback