Working with monitors

Use monitors to deploy watchlists to endpoints for continuous recording of file events using monitors.

Create a new monitor

  1. Select Monitors from the Integrity Monitor menu.
  2. On the Monitors page, click Create a New Monitor.
  3. In the Details section on the Create Monitor page, enter a Name and Description for the new monitor.
  4. In the Targeting section, select the Operating System.
  5. Select Computer Groups from the drop-down list. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.
  6. If you select a computer group that contains Windows endpoints with operating systems that do not match the operating system mode you selected (standard or legacy), then these endpoints will not be monitored.

  7. If you select Linux for the Operating System, select Event Monitoring, Hash Monitoring, or both.

    Event Monitoring

    Use Event Monitoring to monitor change events, such as create, write, delete, or rename, in real-time on files in the specified watchlist. Event Monitoring can distinguish between similar types of changes, such as a rename versus a write and delete. This method also provides more information about a change, such as the associated user or process path. If you use Event Monitoring, you must configure the advanced settings for Maximum Endpoint Database Size, Auditd Raw Logging, and the CPU Kill Switch Threshold.

    Hash Monitoring

    Use Hash Monitoring to monitor changes to the file hash or metadata at regular intervals in the specified watchlist. Hash Monitoring is required in some environments. An advantage to this method is that the file integrity can be verified even if a change event is missed. Auditd is not used with Hash Monitoring.

    Selecting both Event Monitoring and Hash Monitoring

    If you select this hybrid monitoring mode (both Event Monitoring and Hash Monitoring), you will still see changes to files from Hash Monitoring even when the event recorder is down. Hash Monitoring alone will not report the associated user or process path for an event. Selecting a hybrid monitoring mode will also avoid reporting events that indicate a change from the operating system but have no content or file hash change.

  8. If you are creating an event monitor for Linux endpoints, expand the Advanced Settings section and configure the following settings:

    1. Set the Maximum Endpoint Database Size. The default value for this field is 1024.

      If you use Tanium™ Trace, and there is a different Maximum Endpoint Database Size set in Trace, the larger setting will take effect. To avoid this scenario, it is best to set the same size in both Integrity Monitor and Trace.

    2. Choose one of the following settings for Auditd Raw Logging:

      • Disable raw logging on endpoints: disables writing logs to disk. Use this setting for improved event throughput and lower CPU usage. Be sure that you do not have other, non-Tanium processes that depend on reading raw audit logs.
      • Enable raw logging on endpoints: writes the raw logs to disk. This setting increases the audit log volume on the endpoint.
      • Do not change the logging settings on endpoints: audit log settings remain as-is on the endpoint.

      If you use Trace, and have different settings for Enable Auditd Raw Logging in Trace, the Trace setting will take effect. To avoid this conflict, it is best to use the same setting in both Integrity Monitor and Trace.

    3. You can enable and define the CPU Kill Switch Threshold. This value specifies the percent threshold for the CPU utilization kill switch for the recorder on endpoints using this monitor. If the CPU utilization of the recorder exceeds this value, the recorder will stop. The default value for this field is 25%.
  9. In the Watchlists section, select one or more watchlists. Only watchlists for the operating system you selected are shown.
  10. Click Create. Your new monitor and associated details are shown.

Prioritize monitors

Prioritize monitors when two or more monitors include the same endpoint(s) in the computer groups for each monitor. In the case of such a conflict, the highest priority monitor is the one that is deployed to that endpoint.

To prioritize monitors

  1. On the Monitors page, click Prioritize.
  2. The monitors will appear in the Prioritize Monitors window. Drag monitors into the order you want to prioritize them.

  3. Click Cancel to go back to the original order of priority. Click Save to save your changes.
  4. When you re-prioritize monitors, the Deploy Monitors button will appear again. Click Deploy Monitors to redeploy monitors in the new prioritized order.

Deploy monitors

  1. After you have created a monitor, click Deploy Monitors to see results.
  2. In the Confirm Deploy window, click Yes. If you have more than one monitor, all monitors will be deployed.

When you deploy a monitor, you deploy all monitors. Whenever you take an action on monitors (such as creating, modifying, re-prioritizing monitors) you will be prompted to deploy all monitors. It is a best practice to create the monitors you know you need and then deploy them at once.

Check status of deployed monitors

Use the Get Integrity Monitor Endpoint Tools Status and Computer name from all machines sensor in Tanium™ Interact to check the status of the deployed monitor on endpoints.

Figure  1:  Deployed Monitor Status

Refer to Troubleshooting if you receive error messages when checking the status of the monitoring of endpoints using this sensor.

Edit monitors

  1. When you click on a monitor on either the Integrity Monitor home page or the Monitors page, you can edit that monitor by clicking Edit in the top right of the page.
  2. After editing a monitor, a Changes Pending: Deploy Monitors to Endpoints banner displays on the Integrity Monitor home page and NEEDS DEPLOYMENT displays next to the monitor on the Monitors page. Click Deploy Now on the Integrity Monitor home page or Deploy Monitors on the Monitors page.

Understand the differences between standard and legacy monitoring

Standard Windows and Windows (Legacy)

  • Windows NT 6.0 (Windows Server 2008 / Windows Vista) or older are considered legacy and do not support real-time monitoring of file change events.

  • Index on legacy endpoints runs in platform-independent mode, which means it does not find file change events in real-time — it notices the changes to files the next time it performs a full-disk indexing scan. The amount of time it takes to complete an indexing scan depends on how many files and directories there are on the disk. When Index finishes a scan, it will sleep for the amount of time specified in RescanInterval in the config.ini file; then it will start the next scan.
  • Index does not detect rename events in platform-independent mode. Rename events will show up as a file delete of the old name and a file create with the new name.
  • On legacy endpoints, since Index is performing a full disk scan rather than consuming real-time events, the timestamp in the results grid is the time that the file event was noticed during the scan, not the time of the actual change.
  • Legacy monitoring does not record event user or process path.
  • Index on legacy endpoints will cause the ExcludeFromIndexing setting in Index to be ignored. The ExcludeFromHashing setting in Index will work as expected.

See Tanium™ Incident Response User Guide: Customize Index endpoint settings for more information on the referenced Index settings.

AIX and Solaris

Legacy operating systems do not support real-time monitoring of file change events.

Last updated: 3/7/2019 10:57 AM | Feedback