Labeling events with rules

Configure labels to annotate events or to indicate which events need investigation or remediation, and use rules to automatically label events based on their attributes.

Integrity Monitor includes the following default labels:

  • Important
  • Suspicious
  • Expected
  • Ignored
  • Planned

Customize labels

You can customize the default labels or create your own labels. After you define labels, you can associate the labels with rules.

Any change to a default label affects every monitor.

  1. From the Integrity Monitor menu, go to Labels.

  2. Click Create Label to create a label, or click Edit in the row for the label you want to edit.
  3. Enter a Name and Description.

    You cannot edit the name of an existing label.

  4. Click Create / Update.

To delete a label, click Delete in the row for the label.

Use rules to automatically label events

Create rules to automatically label events based on their attributes. You can configure rules to help differentiate among planned, expected, ignored, or suspicious changes, or you can use rules to apply custom labels to suit your environment.

Each rule applies to either a single monitor or all monitors and applies a single label based on the criteria you specify.

Create rules to apply default labels as appropriate:

  • Create rules that apply the Planned label to events that occur during an approved change window. You can also integrate Integrity Monitor with your IT workflow in ServiceNow Change Management to determine change windows based on change requests or change tasks. For more information, see Integrating with IT workflows in ServiceNow.
  • Create rules that apply the Expected label to events for changes performed by approved administrator or service accounts.
  • Create rules that apply the Suspicious label to events for changes that normally should not occur.

Create a rule

  1. From the Integrity Monitor menu, go to Rules and click Create Rule.
  2. In the Summary section, enter a Name and Description.
  3. In the Rule Criteria section, select an attribute and operator, enter the appropriate criteria, and click Apply.

    • Text that you enter for the criteria value is case sensitive. For example, the value /mypath for the attribute File/Registry Path does not match the path /MyPath on an endpoint.

    • If you select the Change Type attribute, enter one of the following values:

      • CreateNewFile
      • DeletePath
      • FileOwnershipChange
      • FilePermissionChange
      • RegistryCreate
      • RegistryDelete
      • RegistryRename
      • RegistrySet
      • RenamePath
      • Write
    • Wildcard characters (*, ?) are evaluated as a literal character. To simulate wildcard characters, use a grouping with an AND operator.
  4. Click Row or Grouping to add additional criteria and groups of conditions as necessary, and select AND or OR to determine how the conditions are applied.
  5. In the Actions section, select the Monitor to which you want to apply this rule and the Label you want to apply to events that match the rule.
  6. Click Create.
  • Newly created rules only affect new events. Past events cannot be labeled by a new rule.

  • Events are labeled by rules as they occur and appear within approximately two minutes.

  • To support consistent auditing, you cannot directly edit a rule. If you want to modify a rule, you must deactivate it, duplicate it, and save the new rule: see Deactivate a rule and Duplicate a rule.

Import rules

You can import multiple rules from a CSV file.

  1. On the Rules page, click Import Rules .
  2. In the Import Rules window, click Choose File.

  3. Browse to a CSV file, and click Open.

  4. Click Import. The imported rules appear on the Rules page.

Example Tanium CSV file used to import rules

name,description,note,monitor_id,label_id,field,operator,value
app1 generated events,events generated by app1,CR12345,1,5,,,
,,,,,process,eq,C:\Program Files\app1\app1.exe
,,,,,file,contains,C:\Program Files\app1
rule 2,rule 2 description,rule 2 note,1,5,,,
,,,,,event_timestamp,gt,2018-06-01T06:00:00.000Z
,,,,,event_timestamp,lt,2018-07-01T06:00:00.000Z
,,,,,file,contains,C:\Program Files

The first line of the file defines the field names of name, description, note, monitor_id, label_id, field, operator, and value. The first line for a rule defines the settings for a rule using the name, description, note, monitor_id, and label_id, and the values for field, operator, and value are left blank. The subsequent lines have blank values for name, description, note, monitor_id, and label_id, and define each condition for the rule using the field, operator, and value fields. Imported conditions are in a single group and use the AND operator.

The preceding CSV example contains two rules that each apply to the monitor with ID 1, and apply the label with ID 5:

  • The rule named app1 generated events defines two conditions.
  • The rule named rule 2 defines three conditions.

Deploy rules

Deploy rules to endpoints so that Integrity Monitor can apply labels to events directly on endpoints.

After you create, delete, or save updates to a rule, a Deploy Now banner appears, and Pending Active appears in the Status column for the rule on the Rules page. To deploy the updates to the configured endpoints, click Deploy Now in the banner or Deploy Rules on the Rules page.

When you deploy rules, you deploy all rules. When you take an action on rules (such as creating, deactivating, or deleting), you are prompted to deploy all rules. For best results, create all planned rules and then deploy them at the same time.

If you have enabled Endpoint Configuration approval, rule deployment must be approved in Endpoint Configuration before rules are deployed to endpoints.

Rules are automatically redeployed when the Integrity Monitor module is upgraded in Tanium Cloud, which could occur without prior notice. If you have not yet deployed a newly created rule, it is automatically deployed if the module is upgraded before you manually deploy it.

Deactivate a rule

Deactivate a rule if you no longer want the rule to run. On the Rules page, select the rule you want to deactivate and click Deactivate.

Deactivating a rule does not delete any labeled events associated with the rule.

  • To support consistent auditing, deactivation is permanent. If you want to reactivate the rule, you must duplicate it and save the new rule.

  • You cannot deactivate a rule that you have not yet deployed. You can delete the rule if you no longer want to deploy it; see Delete a rule.

Duplicate a rule

To support consistent auditing, you cannot directly edit a rule or reactivate a deactivated rule. However, you can duplicate an existing rule, modify settings, and save the new rule.

  1. From the Rules page, click Duplicate in the row for the rule you want to duplicate.
  2. On the Create Rule page, the settings are pre-populated to match the rule you copied, and the default Rule Name indicates it is a duplicated rule.
  3. Edit the rule settings as necessary and click Create.

Delete a rule

To delete a rule, on the Rules page, select the rule and click Delete . The deletion is pending until the next time you deploy rules.

If you delete a rule, any labels that Integrity Monitor applied to events based on that rule remain in place for those existing events. Events that occur after you delete the rule and redeploy all rules are not labeled.