Other resources

Release Notes

Video Tutorial

Integrity Monitor overview

With Integrity Monitor, you can simplify regulatory compliance for your enterprise by consolidating tools and accomplish the following:

  • Continuously monitor critical operating system (OS), application, and log files, as well as critical Windows registry paths.
  • Deploy continuous monitoring for common or new attack vectors to any dynamic group of computers or across the enterprise.
  • Go from alert to active investigation using other modules on the Tanium platform. Use Tanium™ Connect to automatically send emails to open incidents for suspicious events in incident response systems.
  • Automatically identify approved events based on change requests or tasks by integrating with ServiceNow Change Management.
  • Use Tanium™ Connect to automatically send events to Security Information and Event Management (SIEM) solutions; Security Orchestration, Automation and Response (SOAR) solutions; and other data lakes or log solutions for analysis and auditing.

Managing events

Using Integrity Monitor, you specify files, directories, or Windows registry paths that you want to watch for changes in watchlists, and then you define how those watchlists are deployed to endpoints using monitors. After you create and deploy monitors, Integrity Monitor records events on the included endpoints.

Labeling events

You can label events to mark actions that need to be taken on those events. You can also create rules that automatically label events, which can help you readily identify events of concern.

Legacy labeling and enhanced labeling

Integrity Monitor 2.4 and later includes the capability to use labels that are stored on endpoints, known as enhanced labeling. This allows labels to be available from Integrity Monitor sensors across the Tanium platform and to be combined with other data, which allows you to use labels in filters. For example, when using enhanced labeling, you can ask the question Get Computer Name and Integrity Monitor File Events Details contains Label Important in Tanium Interact to retrieve only file events with the label Important. Additionally, the sensors Integrity Monitor Labeled File Events Details, Integrity Monitor Unlabeled File Events Overview, and Integrity Monitor Unlabeled File Events Details are available when using enhanced labeling. For more information, see Working with events.

When all events are appropriately labeled, you can filter for only unlabeled events, which typically represent unexpected changes.

Enhanced labeling also lets you integrate with ServiceNow Change Management.

Currently, when you use enhanced labeling, the following restrictions apply:

  • You cannot manually add labels to events.
  • You cannot add notes to labeled events.
  • You cannot view and manage event labels in the Integrity Monitor File Events Overview.
  • Reports are unavailable.
  • Label history is unavailable.

Enhanced labels are shown in text format as normal sensor output, whereas legacy labels were shown graphically with colored boxes. This change allows ordering and filtering based on label names, just as with any Tanium sensor output.

With legacy labeling, labels are stored on the Tanium Module Serverin TaaS, and they are available only within Integrity Monitor.

Enhanced labeling is available only for monitors for Windows and Linux Endpoints. Monitors for AIX and Solaris endpoints must use legacy labeling.

Integration with IT workflows

When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow, which lets you determine which events are authorized and filter out events within authorized change windows.

Integration with other Tanium products

Tanium™ Connect

If you are using legacy labeling, Integrity Monitor can send events to Connect. You can send notifications about these events to destinations such as email, security information and event management (SIEM) software, or a file by creating a connection in Connect.

If you are using enhanced labeling, you can access events from Integrity Monitor in Connect using saved questions.

For more information about Connect, see Tanium Connect User Guide: Connect overview.

Tanium™ Trends

Integrity Monitor has built in integration with Trends for additional reporting of related data. Integrity Monitor features Trends boards that provide data visualization of Integrity Monitor concepts.

Integrity Monitor - Deployment

The Integrity Monitor - Deployment board displays information about deployed monitors and Integrity Monitor tools installed on endpoints. The following panels are in the Integrity Monitor - Deployment board:

  • Integrity Monitor Tools Installations
  • Integrity Monitor Endpoint Tools Status
  • Integrity Monitor Server Coverage

Integrity Monitor - Effectiveness

The Integrity Monitor - Effectiveness board displays information about the effectiveness of Integrity Monitor based on change events on endpoints. The following panels are in the Integrity Monitor - Effectiveness board:

  • Events by Change Type
  • Events by File Path
  • Mean Number of Unexpected Change Events per Endpoint
  • Expected vs Unexpected Change Events

Integrity Monitor - Operationalization

The Integrity Monitor - Operationalization board displays information about the endpoints that are currently monitored, grouped by operating system or path style. The following panels are in the Integrity Monitor - Operationalization board:

  • Monitored Endpoints
  • Monitors by OS
  • Watchlists by Path Style

For more information about how to import the Trends boards that are provided by Integrity Monitor, see Tanium Trends User Guide: Importing the initial gallery.