Succeeding with Integrity Monitor
Follow these best practices to achieve maximum value and success with Tanium Integrity Monitor. These steps align with the key benchmark metrics: increasing integrity monitor coverage and reducing unexpected changes per endpoint.
Step 1: Gain organizational effectiveness
Step 1: Gain organizational effectiveness
Complete the key organizational governance steps to maximize Integrity Monitor value. For more information about each task, see Gaining organizational effectiveness.
Develop a dedicated change management process.
Define distinct roles and responsibilities in a RACI chart.
Validate cross-functional organizational alignment.
Track operational metrics.
Step 2: Install and configure Tanium modules
Install Tanium Integrity Monitor. See Installing Integrity Monitor.
Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.
Install Tanium Connect. See Tanium Connect User Guide: Installing Tanium Connect.
Install Client Management and Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing.
Step 3: Configure Integrity Monitor
Step 2: Configure Integrity Monitor
Configure the service account. See Configure the Integrity Monitor service account.
Create computer groups with dynamic membership. (Computer groups with manual membership are not supported in Integrity Monitor.) See Tanium Console User Guide: Create computer groups.
Import the Integrity Monitor board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery. If you installed Trends using the Apply Tanium recommended configurations option, the Integrity Monitor board is automatically imported after the Integrity Monitor service account is configured.
Step 4: Set up watchlists
Step 3: Set up watchlists
Watchlists define a set of files, directories, and Windows registry paths that you want to monitor for changes.
Create a watchlist, naming it based on the application, business unit, or compliance standard you want to monitor.
Select a Windows or Unix path style. You must use separate watchlists for Windows and non-Windows endpoints.
(Optional) Start from a built-in template, and add custom file or registry paths to specify the files, folders, or registry paths you want to monitor.
Configure inclusions and exclusions for each path to refine the files, folders, or registry paths that you are monitoring.
Step 5: Set up monitors
Step 4: Set up monitors
Use monitors to determine how watchlists are deployed to endpoints for continuous recording of file and registry events.
Create a monitor, naming it based on the operating system, business unit, or application group you want to monitor.
Select the operating system of the endpoints you plan to monitor.
Use Enhanced Labeling for the Labeling Method. See Basic labeling and enhanced labeling.
Use both the Event Monitoring and Hash Monitoring options for the best coverage of events.
Select the computer groups that contain the endpoints you want to monitor.
If you are monitoring Windows endpoints, use the Install Tanium Driver option.
Select the watchlists to monitor on the endpoints in the selected computer groups.
See Configuring monitors to deploy watchlists.
Step 6: Deploy monitors
Step 5: Deploy monitors
After you create monitors, click Deploy Monitors to deploy the monitors to the selected endpoints. See Deploy monitors.
Step 7: Monitor change events and tune watchlists
Step 6: Monitor change events and tune watchlists
Monitor the overview of changes.
Make adjustments to paths, inclusions, and exclusions in watchlists to exclude events that do not need to be monitored.
Monitor detailed events using questions and Tanium Connect.
See Viewing events.
Step 8: Define rules
Step 7: Define rules
After watchlists are tuned to capture only events of interest, create rules to automatically label events and help differentiate among planned, expected, ignored, and suspicious changes. See Create a rule.
Deploy rules. See Deploy rules (enhanced labeling).
Step 9: Set up IT workflow integration with ServiceNow Change Management
Step 8: Set up IT workflow integration with ServiceNow Change Management
Create a ServiceNow integration in Integrity Monitor.
Configure and establish a connection to ServiceNow.
Map the Integrity Monitor statuses of Open, Closed, and Canceled to the states used in your ServiceNow change requests and change tasks.
Configure the schedules to synchronize data with ServiceNow.
See Integrating with IT workflows.
Step 10: Export data to reports and incidents
Step 9: Export data to reports and incidents
Send expected and unexpected events to the appropriate external destinations for reporting. See Send events from enhanced monitors.
Use unlabeled events to create incidents in ServiceNow Incident Management. See Create incidents for unlabeled events in ServiceNow Incident Management.
Step 11: Monitor Integrity Monitor metrics
Step 10: Monitor Integrity Monitor metrics
From the Trends menu, click Boards and then click Risk and Security Metrics to view the Integrity Monitor Server Coverage, Mean Unexpected Change Events per Endpoint, and Expected vs Unexpected Change Events panels.
Last updated: 1/13/2021 4:20 PM | Feedback