Integrity Monitor overview

With Integrity Monitor, you can simplify regulatory compliance for your enterprise by consolidating tools and accomplish the following tasks:

  • Continuously monitor critical operating system (OS), application, and log files, and critical Windows registry paths.
  • Deploy continuous monitoring for common or new attack vectors to any dynamic group of computers or across the enterprise.
  • Go from alert to active investigation using other modules on the Tanium platform. Automatically send emails to open incidents for suspicious events in incident response systems with Tanium™ Connect.
  • Automatically identify approved events based on change requests or tasks by integrating with ServiceNow Change Management.
  • Automatically send events to Security Information and Event Management (SIEM) solutions; Security Orchestration, Automation and Response (SOAR) solutions; and other data lakes or log solutions for analysis and auditing with Tanium™ Connect .

Event monitoring

Specify files, directories, or Windows registry paths that you want to monitor for changes in watchlists. Then, define how these watchlists are deployed to endpoints with monitors. After you create and deploy monitors, Integrity Monitor monitors events on the included endpoints.

Event labels

Label events to indicate events that are expected or planned, or which events might need investigation or remediation. Create rules to automatically label events, which can help you identify events of concern.

Integration with IT workflows

When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow. You can then determine which events are authorized and filter out events within authorized change windows.

Integration with other Tanium products

Tanium™ Connect

If you are using basic labeling, Integrity Monitor can send events to Connect. You can send notifications about these events to destinations such as email, a SIEM or SOAR solution, or a file by creating a connection in Connect.

If you are using enhanced labeling, you can access events from Integrity Monitor in Connect using saved questions.

In Tanium Connect 5.8.54 and later, you You can configure Integrity Monitor as a connection source to export watchlist data to Connect.

For more information about Connect, see Tanium Connect User Guide: Connect overview.

Tanium™ Trends

Integrity Monitor has built in integration with Trends for additional reporting of related data. Integrity Monitor features Trends boards that provide data visualization of Integrity Monitor concepts.

Integrity Monitor - Deployment

The Integrity Monitor - Deployment board displays information about deployed monitors and Integrity Monitor tools installed on endpoints. The following panels are in the Integrity Monitor - Deployment board:

  • Tools Installations
  • Endpoint Tools Status
  • Server Coverage

Integrity Monitor - Effectiveness

The Integrity Monitor - Effectiveness board displays information about the effectiveness of Integrity Monitor based on change events on endpoints. The following panels are in the Integrity Monitor - Effectiveness board:

  • Events by Change Type
  • Events by File Path
  • Events by Label
  • Events by ServiceNow Change Ticket
  • Top Users - All Changes
  • Top Users - Unexpected Changes
  • Event Count by Endpoint
  • Mean Unexpected Change Events per Endpoint
  • Expected vs Unexpected Change Events

Integrity Monitor - Operationalization

The Integrity Monitor - Operationalization board displays information about the endpoints that are currently monitored, grouped by operating system or path style. The following panels are in the Integrity Monitor - Operationalization board:

  • Monitored Endpoints
  • Monitors by OS
  • Watchlists by Path Style

For more information about how to import the Trends boards that are provided by Integrity Monitor, see Tanium Trends User Guide: Importing the initial gallery.