Working with monitors

Use monitors to deploy watchlists to endpoints for continuous recording of file events.

Create a new monitor

  1. Select Monitors from the Integrity Monitor menu.
  2. On the Monitors page, click Create a New Monitor.
  3. In the Details section on the Create Monitor page, enter a Name and Description for the new monitor.
  4. In the Targeting section, select the Operating System. If you selected Windows or Linux, select a Monitoring Method. See Monitoring methods for Windows and Linux endpoints for details on these options.
  5. Select Computer Groups from the drop-down list. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.
  6. In the Watchlists section, select one or more watchlists. Only watchlists for the operating system you selected are shown.
  7. Click Create. Your new monitor and associated details are shown.

Monitoring methods for Windows and Linux endpoints

If you select Windows or Linux for the Operating System, select Event Monitoring, Hash Monitoring, or both.

Event Monitoring

Use Event Monitoring to monitor change events, such as create, write, delete, or rename, in real-time on files in the specified watchlist. Event Monitoring can distinguish between similar types of changes, such as a rename versus a write and delete. This method also provides more information about a change, such as the associated user or process path. If you use Event Monitoring for Linux endpoints, you must configure the advanced settings for Maximum Endpoint Database Size, Auditd Raw Logging, and the CPU Kill Switch Threshold.

Hash Monitoring

Use Hash Monitoring to monitor changes to the file hash or metadata at regular intervals in the specified watchlist. Hash Monitoring is required in some environments. An advantage to this method is that the file integrity can be verified even if a change event is missed. Auditd is not used with Hash Monitoring on Linux endpoints.

Selecting both Event Monitoring and Hash Monitoring

If you select this hybrid monitoring mode (both Event Monitoring and Hash Monitoring), you will still see changes to files from Hash Monitoring even when the event recorder is down. Hash Monitoring alone will not report the associated user or process path for an event. Selecting a hybrid monitoring mode will also avoid reporting events that indicate a change from the operating system but have no content or file hash change.

Advanced settings for Linux endpoints

These settings apply only to Linux endpoints that use Client Recorder Extension 1.0. For more information about Client Recorder Extension and Integrity Monitor versions, see Upgrading to Integrity Monitor 2.0.

If you are creating an event monitor for Linux endpoints, expand the Advanced Settings section and configure the following settings:

  1. Set the Maximum Endpoint Database Size. The default value for this field is 1024.

    If you use Tanium™ Trace, and there is a different Maximum Endpoint Database Size set in Trace, the larger setting will take effect. To avoid this scenario, it is best to set the same size in both Integrity Monitor and Trace.

  2. Choose one of the following settings for Auditd Raw Logging:

    • Disable raw logging on endpoints: disables writing logs to disk. Use this setting for improved event throughput and lower CPU usage. Be sure that you do not have other, non-Tanium processes that depend on reading raw audit logs.
    • Enable raw logging on endpoints: writes the raw logs to disk. This setting increases the audit log volume on the endpoint.
    • Do not change the logging settings on endpoints: audit log settings remain as-is on the endpoint.

    If you use Trace, and have different settings for Enable Auditd Raw Logging in Trace, the Trace setting will take effect. To avoid this conflict, it is best to use the same setting in both Integrity Monitor and Trace.

  3. You can enable and define the CPU Kill Switch Threshold. This value specifies the percent threshold for the CPU utilization kill switch for the recorder on endpoints using this monitor. If the CPU utilization of the recorder exceeds this value, the recorder will stop. The default value for this field is 25%.

Prioritize monitors

Prioritize monitors when two or more monitors include the same endpoint(s) in the computer groups for each monitor. In the case of such a conflict, the highest priority monitor is the one that is deployed to that endpoint.

To prioritize monitors

  1. On the Monitors page, click Prioritize.
  2. The monitors will appear in the Prioritize Monitors window. Drag monitors into the order you want to prioritize them.

  3. Click Cancel to go back to the original order of priority. Click Save to save your changes.
  4. When you re-prioritize monitors, the Deploy Monitors button will appear again. Click Deploy Monitors to redeploy monitors in the new prioritized order.

Deploy monitors

  1. After you create a monitor, click Deploy Monitors to see results.
  2. In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors are deployed.

When you deploy a monitor, you deploy all monitors. When you take an action on monitors (such as creating, modifying, or reprioritizing monitors) you will be prompted to deploy all monitors. For best results, create the monitors you know you need and then deploy them all at once.

Check the status of deployed monitors

Use the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in Tanium™ Interact to check the status of the deployed monitor on endpoints.

Refer to Reference: Endpoint monitoring status errors if you receive error messages when checking the status of the monitoring of endpoints using this sensor.

Edit monitors

  1. When you click on a monitor on either the Integrity Monitor Home page or the Monitors page, you can edit that monitor by clicking Edit.
  2. After editing a monitor, a Changes Pending: Deploy Monitors to Endpoints banner displays on the Integrity Monitor Home page and NEEDS DEPLOYMENT displays next to the monitor on the Monitors page. Click Deploy Now on the Integrity Monitor Home page or Deploy Monitors on the Monitors page.