Working with rules

Create rules to automatically label events based on their attributes. You can configure rules to help differentiate among planned, expected, ignored, or suspicious changes.

Create rules that apply the Planned label to events that occur during an approved change window. You can also integrate Integrity Monitor with your IT workflow in ServiceNow Change Management to determine change windows based on change requests or change tasks. For more information, see Integrating with IT workflows.

Create rules that apply the Expected label to events for changes performed by approved administrator or service accounts.

Create rules that apply the Suspicious label to events for changes that normally should not occur.

Create a new rule

Rules can only be applied to a single monitor. An event that has already been reported will not be labeled by a newly created rule.

  1. From the Integrity Monitor menu, select Rules.
  2. In the expanded Rules section of the Integrity Monitor menu, select a rule type. Rules can apply to either monitors that are configured to use legacy labeling or those that are configured to use enhanced labeling. For more information about labeling methods, see Get started quickly with Integrity Monitor.
    • Select Legacy Labeling to create a rule that works with a monitor that uses legacy labeling.
    • Select Enhanced Labeling to create a rule that works with a monitor that uses enhanced labeling.
  3. On the Rules page, click Create Rule.
  4. In the Summary section, enter a Rule Name and Rule Description.
  5. In the Rule Criteria section, select a filter field and operator from the drop-down lists, enter the criteria, and click Apply.

    If necessary, click the icon to add criteria.

  6. In the Labels section, select the Monitor to which you want to apply this rule and the Label you want to apply. Enter any optional Label Note.
  7. Click Create.

Once an event occurs that should be labeled, it might take an hour or more before it is labeled by a rule.

You can also import multiple rules that work with legacy labeling from a CSV file.

  1. On the Legacy Rulespage, click Import Rules.
  2. In the Import Rules window, click Choose File.

  3. Select the CSV file and click Open.

  4. Click Import. The imported rules will appear on the Rules page.

Example Tanium CSV file used to import rules

app1 generated events,events generated by app1,CR12345,1,5,,,
,,,,,process,eq,C:/Program Files/app1/app1.exe
,,,,,file,contains,C:/Program Files/app1
rule 2 name,rule 2 description,rule 2 note,1,5,,,
,,,,,file,contains,C:/Program Files

One line defines a rule. This example contains blank name, description, note, monitor_id, and label_id fields, and defines all the filters for the rule. The filter processing for a rule is complete when the next rule line is detected.

This CSV example contains two rules. Rule 1 defines two filters that are connected with the AND operator.

Rule 2 defines three filters connected with the AND operator.

Deploy rules

Rules for enhanced labeling are deployed to endpoints in order to apply labels to events directly on endpoints.

After creating a rule for enhanced labeling, a Changes Pending: Deploy Rules to Endpoints banner displays on the Integrity Monitor Home page and NEEDS DEPLOYMENT displays next to the rule on the Rules page. Click Deploy Now on the Integrity Monitor Home page or Deploy Rules on the Rules page.

When you deploy rules, you deploy all rules. When you take an action on rules (such as creating, deactivating, or deleting), you are prompted to deploy all rules. For best results, create all planned rules and then deploy them all at once.

Rules are automatically redeployed when the Integrity Monitor module is upgraded in TaaS, which could occur without prior notice. If you have not yet deployed a newly created rule, it is automatically deployed if the module is upgraded before you manually deploy it.

Deactivate a rule

If you no longer want a rule to run, you can deactivate it. On the Rules page, select the rule you want to deactivate and click Deactivate; confirm deactivation. Deactivating a rule does not delete any existing labels that rule applied

If you want to reactivate the rule, you must clone it and save it.

Clone a rule

You cannot directly edit a rule due to auditing restrictions; however, you can accomplish a similar result by cloning and then deactivating an existing rule.

  1. On the Rules page, select the rule you want to clone and click Clone.
  2. On the Create Rule page, fields are pre-populated with information from the rule you cloned with the Rule Name followed by cloned [date and time].
  3. Make any necessary edits to the rule and click Save.

Delete a rule

To delete a rule, on the Rules page, select the rule and click Delete; confirm deletion.

If you delete a rule, you also delete all labeled events associated with that rule.