Integrity Monitor overview

With Integrity Monitor, you can simplify regulatory compliance for your enterprise by consolidating tools and accomplish the following tasks:

• Continuously monitor critical operating system (OS), application, and log files, and critical Windows registry paths.
• Deploy continuous monitoring for common or new attack vectors to any dynamic group of computers or across the enterprise.
• Go from alert to active investigation using other modules on the Tanium platform. Automatically send emails to open incidents for suspicious events in incident response systems with Tanium™ Connect.
• Automatically identify approved events based on change requests or tasks by integrating with ServiceNow Change Management.
• Automatically send events to Security Information and Event Management (SIEM) solutions; Security Orchestration, Automation and Response (SOAR) solutions; and other data lakes or log solutions for analysis and auditing with Tanium™ Connect.

File and registry monitoring

Define scan settings for computer groups using monitors. Then, use watchlists to specify files, directories, or Windows registry paths that you want to monitor for changes, and target the endpoints where Integrity Monitor should watch those items. After you create and deploy watchlists and monitors, Integrity Monitor records events on the included endpoints.

All monitors perform hash monitoring for files included in specified watchlists. Hash monitoring uses periodic file index scans to check for changes to the file hash or metadata of files. Hash monitoring uses the Tanium™ Client Index Extension. For more information about how indexing works, see Tanium Client Index Extension User Guide.

On Windows or Linux endpoints, you can optionally perform event monitoring as well. Event monitoring records real-time change events, such as create, write, delete, or rename, for files or Windows registry values in specified watchlists. This method records the specific operation and the associated user or process path. Event monitoring uses the Tanium™ Client Recorder Extension. For more information about how recording of event data works, see Tanium Client Recorder Extension User Guide.

Rules and labels

Create rules to automatically label events, which can help you identify events of concern. Labels can indicate events that are expected or planned, or which events might need investigation or remediation.

Integration with IT workflows

When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow. You can then determine which events are authorized and filter out events within authorized change windows.

Interoperability with other Tanium products

Tanium™ Connect

You can access events from Integrity Monitor in Connect using saved questions.

In Tanium Connect 5.8.54 and later, you You can also configure Integrity Monitor as a connection source to export watchlist data to Connect.

For more information about Connect, see Tanium Connect User Guide: Connect overview.

Tanium™ Trends

Integrity Monitor works with Trends for additional reporting of related data. Integrity Monitor features Trends boards that provide data visualization of Integrity Monitor concepts.

Integrity Monitor - Health

The Integrity Monitor - Health board displays the health status of Integrity Monitor on monitored endpoints. The Integrity Monitor - Health board contains the Endpoint Health panel.

Integrity Monitor - Summary

The Integrity Monitor - Summary board displays information about the operationalization and effectiveness of Integrity Monitor based on change events on endpoints. The following panels are in the Integrity Monitor - Summary board:

• Endpoints by OS Platform
• Active Watchlists
• Event Count

For more information about how to import the Trends boards that are provided by Integrity Monitor, see Tanium Trends User Guide: Importing the initial gallery.