Working with monitors

Use monitors to deploy watchlists to endpoints for continuous recording of file events using Monitors.

Create a new monitor

  1. Select Monitors from the Integrity Monitor menu.
  2. On the Monitors page, click Create a New Monitor.
  3. In the Details section on the New Monitor page, enter a Name and Description for the new watchlist.
  4. Select the Operating System.
  5. Select Target Computer Groups from the drop-down lists. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.
  6. If you select a computer group that contains Windows endpoints with operating systems that do not match the Mode you selected, then these endpoints will not be monitored.

  7. If you select Linux for the Operating System, you must select Event-Based Monitoring or Hash-Based Monitoring. If you select Event-Based Monitoring, you can also define Advanced Settings.
  8. You can set the Maximum Endpoint Database Size. The default value for this field is 1024.

    If you use Tanium™ Trace, and there is a different Maximum Endpoint Database Size set in Trace, the larger setting will take effect. To avoid this scenario, it is best to set the same size in both Integrity Monitor and Trace.

  9. You can choose one of the following settings for Auditd Raw Logging under Advanced Settings for Linux.

    • Disable raw logging on endpoints using this monitor: disables writing logs to disk. Use this setting for improved event throughput and lower CPU usage. Be sure that you do not have other, non-Tanium processes that depend on reading raw audit logs.
    • Enable raw logging on endpoints using this monitor: writes the raw logs to disk. This setting increases the audit log volume on the endpoint.
    • Do not change the logging settings on endpoints using this monitor: audit log settings remain as-is on the endpoint.

    If you use Trace, and have different settings for Enable Auditd Raw Logging in Trace, the Trace setting will take effect. To avoid this conflict, it is best to use the same setting in both Integrity Monitor and Trace.

  10. You can enable and define the CPU Kill Switch Threshold. This value specifies the percent threshold for the CPU utilization kill switch for the recorder on endpoints using this monitor. If the CPU utilization of the recorder exceeds this value, the recorder will stop. The default value for this field is 25%.
  11. In the Watchlists section, select one or more watchlists. Only watchlists for the operating system you selected are shown.
  12. Click Create. Your new monitor and associated details are shown.

Prioritize monitors

Prioritize monitors when two or more monitors include the same endpoint(s) in the computer groups for each monitor. In the case of such a conflict, the highest priority monitor is the one that is deployed to that endpoint.

To prioritize monitors

  1. On the monitors page, click Prioritize.
  2. The monitors will appear in the Prioritize Monitors window. Drag monitors into the order you want to prioritize them.
  3. Click Reset to go back to the original order of priority. Click Save to save your changes.
  4. When you re-prioritize monitors, the Deploy Monitors button will appear again. Click Deploy Monitors to redeploy monitors in the new prioritized order.

Deploy monitors

  1. Once you have created a monitor, click Deploy Monitors to see results.
  2. In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors will be deployed.

When you deploy a monitor, you deploy all monitors. Whenever you take an action on monitors (such as creating , modifying , re-prioritizing monitors) you will be prompted to deploy all monitors. It is a best practice to create the monitors you know you need and then deploy them at once.

Check status of deployed monitors

Use the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in TaniumTM Interact to check the status of the deployed monitor on endpoints.

Figure  1:  Deployed Monitor Status

Refer to Troubleshooting if you receive error messages when checking the status of the monitoring of endpoints using this sensor.

Edit monitors

  1. When you click on a monitor on either the Home page or the Monitors page, you can edit that monitor by clicking Edit in the top right of the page.
  2. After editing a monitor, NEEDS DEPLOYMENT will appear next to the monitor on the Home page. Click Deploy Monitors.

Understand the differences between standard and legacy mode monitoring

Standard Windows and Windows (Legacy)

  • Windows NT 6.0 (Windows Server 2008 / Windows Vista) or older are considered legacy and do not support real-time monitoring of file change events.

  • Index on legacy endpoints runs in platform-independent mode, which means it does not find file change events in real-time — it notices the changes to files the next time it performs a full-disk indexing scan. The amount of time is takes to complete an indexing scan depends on how many files and directories there are on the disk. When Index finishes a scan, it will sleep for the amount of time specified in RescanInterval in the config.ini file; then it will start the next scan.
  • Index does not detect rename events in platform-independent mode. Rename events will show up as a file delete of the old name and a file create with the new name.
  • On legacy endpoints, since Index is performing a full disk scan rather than consuming real-time events, the timestamp in the results grid is the time that the file event was noticed during the scan, not the time of the actual change.
  • Legacy mode does not record event user or process path.
  • Index on legacy endpoints will cause Index’s ExcludeFromIndexing setting to be ignored. Index’s ExcludeFromHashing setting will work as expected.

See Tanium™ Incident Response User Guide: Customize Index endpoint settings for more information on the referenced Index settings.

AIX (Legacy) and Solaris (Legacy)

Legacy operating systems do not support real-time monitoring of file change events. Legacy mode enables monitoring of platforms that do not support real-time monitoring.

Last updated: 11/6/2018 4:29 PM | Feedback