Succeeding with Integrity Monitor

Follow these best practices to achieve maximum value and success with Tanium Integrity Monitor. These steps align with the key benchmark metrics: increasing integrity monitor coverage and reducing unexpected changes per endpoint.

Steps to succeed with Integrity Monitor

Step 1: Gain organizational effectiveness

Step 1: Gain organizational effectiveness

Complete the key organizational governance steps to maximize Integrity Monitor value. For more information about each task, see Gaining organizational effectiveness.

Develop a dedicated change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional organizational alignment.

Track operational metrics.

Step 2: Install and configure Tanium modules

Install Tanium Integrity Monitor. See Installing Integrity Monitor.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Install Tanium Connect. See Tanium Connect User Guide: Installing Tanium Connect.

Install Client Management and Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing.

Step 3: Configure Integrity Monitor

Step 2: Configure Integrity Monitor

Configure the service account. See Installing Integrity Monitor.

Create computer groups with dynamic membership. (Computer groups with manual membership are not supported in Integrity Monitor.) See Tanium Console User Guide: Create a computer group.




Import the Integrity Monitor board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery. If you installed Trends using the Apply Tanium recommended configurations option, the Integrity Monitor board is automatically imported after the Integrity Monitor service account is configured.

Step 4: Set up watchlists

Step 3: Set up watchlists

Watchlists define a set of files, directories, and Windows registry paths that you want to monitor for changes.

Create a watchlist, naming it based on the application, business unit, or compliance standard you want to monitor.

Select a Windows or Unix path style. You must use separate watchlists for Windows and non-Windows endpoints.

(Optional) Start from a built-in template, and add custom file or registry paths to specify the files, folders, or registry paths you want to monitor.

Configure inclusions and exclusions for each path to refine the files, folders, or registry paths that you are monitoring.

See Configuring watchlists.

Step 5: Set up monitors

Step 4: Set up monitors

Use monitors to determine how watchlists are deployed to endpoints for continuous recording of file and registry events.

Create a monitor, naming it based on the operating system, business unit, or application group you want to monitor.

Select the operating system of the endpoints you plan to monitor.

Use Enhanced Labeling for the Labeling Method. See Basic labeling and enhanced labeling.

Use both the Event Monitoring and Hash Monitoring options for the best coverage of events.

Select the computer groups that contain the endpoints you want to monitor.

If you are monitoring Windows endpoints, use the Install Tanium Driver option.

Select the watchlists to monitor on the endpoints in the selected computer groups.

See Configuring monitors to deploy watchlists.

Step 6: Deploy monitors

Step 5: Deploy monitors

After you create monitors, click Deploy Monitors to deploy the monitors to the selected endpoints. See Deploy monitors.

Step 7: Monitor change events and tune watchlists

Step 6: Monitor change events and tune watchlists

Monitor the overview of changes.

Make adjustments to paths, inclusions, and exclusions in watchlists to exclude events that do not need to be monitored.

Monitor detailed events using questions and Tanium Connect.

See Viewing events.

Step 8: Define rules

Step 7: Define rules

After watchlists are tuned to capture only events of interest, create rules to automatically label events and help differentiate among planned, expected, ignored, and suspicious changes. See Create a rule.

Deploy rules. See Deploy rules (enhanced labeling).

Step 9: Set up IT workflow integration with ServiceNow Change Management

Step 8: Set up IT workflow integration with ServiceNow Change Management

Create a ServiceNow integration in Integrity Monitor.

Configure and establish a connection to ServiceNow.

Map the Integrity Monitor statuses of Open, Closed, and Canceled to the states used in your ServiceNow change requests and change tasks.

Configure the schedules to synchronize data with ServiceNow.

See Integrating with IT workflows.

Step 10: Export data to reports and incidents

Step 9: Export data to reports and incidents

Send expected and unexpected events to the appropriate external destinations for reporting. See Send events from enhanced monitors.

Use unlabeled events to create incidents in ServiceNow Incident Management. See Create incidents for unlabeled events in ServiceNow Incident Management.

Step 11: Monitor Integrity Monitor metrics

Step 10: Monitor Integrity Monitor metrics

From the Trends menu, click Boards and then click Risk and Security Metrics to view the Integrity Monitor Server Coverage, Mean Unexpected Change Events per Endpoint, and Expected vs Unexpected Change Events panels.

Monitor and troubleshoot Integrity Monitor Server Coverage.

Monitor and troubleshoot Mean Unexpected Change Events per Endpoint or Expected vs Unexpected Change Events.