Succeeding with Integrity Monitor
Follow these best practices to achieve maximum value and success with Tanium Integrity Monitor. These steps align with the key benchmark metrics: increasing integrity monitor coverage and reducing unexpected changes per endpoint.
Develop a dedicated Change management process.
Define distinct roles and responsibilities in a RACI chart.
Validate cross-functional Organizational alignment.
Track Operational metrics.
Install Tanium Integrity Monitor. See Installing Integrity Monitor.
Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.
Install Tanium Connect. See Tanium Connect User Guide: Installing Tanium Connect.
Configure the service account. See Configure the Integrity Monitor service account.
Create dynamic computer groups. (Manual computer groups are not supported in Integrity Monitor.) See Tanium Console User Guide: Create computer groups.
Import the Integrity Monitor board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery. If you installed Trends using the Apply Tanium recommended configurations option, the Integrity Monitor board is automatically imported after the Integrity Monitor service account is configured.
Watchlists define a set of files, directories, and/or Windows registry paths that you want to watch for changes.
Create a watchlist, naming it based on the application, business unit, and/or compliance standard you want to monitor.
Select a Windows or Unix path style. You must use separate watchlists for Windows and non-Windows endpoints.
Optionally start from a built-in template, and add custom file or registry paths to specify the files, folders, or registry paths you want to monitor.
Configure additional inclusions and exclusions for each path to refine the files, folders, or registry paths that you are monitoring.
Use monitors to determine how watchlists are deployed to endpoints for continuous recording of file and registry events.
Create a monitor, naming it based on the operating system, business unit, and/or application group you want to monitor.
Select the operating system of the endpoints you plan to monitor.
Use Enhanced Labeling for the Labeling Method. See Legacy labeling and enhanced labeling.
Use both the Event Monitoring and Hash Monitoring options for the best coverage of events.
Select the computer groups that contain the endpoints you want to monitor.
If you are monitoring Windows endpoints, use the Install Tanium Driver option.
Select the watchlists to monitor on the endpoints in the selected computer groups.
After you create monitors, click Deploy Monitors to deploy the monitors to the selected endpoints. See Deploy monitors.
Monitor the overview of changes.
Make adjustments to paths, inclusions, and exclusions in watchlists to exclude events that do not need to be monitored.
Monitor detailed events using questions and Tanium Connect.
See Working with events.
After watchlists are tuned to capture only events of interest, create rules to automatically label events and help differentiate among planned, expected, ignored, and suspicious changes. See Create a new rule.
Deploy rules. See Deploy rules.
Create a ServiceNow integration in Integrity Monitor.
Configure and establish a connection to ServiceNow.
Map the Integrity Monitor statuses of Open, Closed, and Canceled to the states used in your ServiceNow change requests and change tasks.
Configure the schedules to synchronize data with ServiceNow.
Send expected and unexpected events to the appropriate external destinations for reporting. See Sending events from monitors that use enhanced labeling.
Use unlabeled events to create incidents in ServiceNow Incident Management. See Create incidents for unlabeled events in ServiceNow Incident Management.
From the Trends menu, click Boards and then click Integrity Monitor to view the Integrity Monitor Server Coverage, Mean Number of Unexpected Change Events per Endpoint, and Expected vs Unexpected Change Events panels.
Last updated: 7/9/2020 5:21 PM | Feedback