Working with watchlists

Watchlists define a set of files or directories that you want to watch for changes. Integrity Monitor includes watchlist templates that contain critical files and directories that are typically monitored for Windows and Linux.

You can create your own watchlists or create watchlists from these templates, to which you can add additional paths to watch.

Path inclusions and exclusions

If needed, you can refine the paths in a watchlist by adding path inclusions or path exclusions.

If you define path inclusions, only files and directories in the path that match the inclusion are monitored for the configured change types (create, write, delete, rename, or permission). If you do not define any path inclusions, all files and directories in the path are watched for the configured change types.

If you define path exclusions, files and directories in the path that match the exclusion are not watched.

If you define both, all files and directories in the path are watched if they fall within one of the inclusion definitions for the path unless they also fall within one of its exclusion definitions.

For more information, see Reference: Watchlist path inclusions and exclusions.

Inclusions and exclusions are not required for a path. You can define multiple inclusions or exclusions for a path. When you define path inclusions or exclusions, you can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

Create a watchlist

  1. Select Watchlists from the Integrity Monitor menu.
  2. On the Watchlists page, click Create Watchlist.
  3. Enter a name and description for the new watchlist.
  4. Select a Path Style: Unix or Windows.

    The target endpoint operating system and paths must be consistent within a watchlist. For example, you cannot add a Windows path to a watchlist that targets Linux endpoints.


  5. In the Watchlist Templates section, you can select one or more of the optional templates to use for the watchlist.
  6. Click Create.

    The new watchlist displays after it is created.

You must create a monitor to deploy the watchlist to endpoints and record the file events defined in the watchlist. For more information, see Working with monitors.

View watchlist details

On the Watchlists page, you can use the Filter by name field to filter watchlists.

To view the path details for a watchlist, click the name of the watchlist you want to view to open the watchlist details page.

From this page, you can use the Filter by name field to filter the paths that display for the watchlist. Click Expand next to a path to view the details for that path.


The details you see for a watchlist depend on the role you are assigned in Integrity Monitor.

Edit a watchlist

  1. Select Watchlists from the Integrity Monitor menu.
  2. On the Watchlists page, click the name of the watchlist to open the watchlist details page.
  3. Click Edit.
  4. Edit the Name, Description or Path Style for the watchlist.

    If you change the Path Style for a watchlist, all existing paths are removed after you confirm the change.

  5. Click Save.

Add a path

Add paths to a watchlist to define the files and directories that you want to watch for changes.

  1. Select Watchlists from the Integrity Monitor menu.
  2. On the Watchlists page, click the name of the watchlist to open the watchlist details page.
  3. Click Add Paths > New.
  4. In the Details section, provide the information for the path:
    • Path: Specify the absolute path for the file or directory.

      You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

      When you define a path, you can use the wildcards within a directory or file name, but you cannot use them to specify multiple directory levels. This usage is different from wildcard usage in path inclusions or exclusions. For example, if you have a path /a/*/z, this path matches a/b/z, but not a/b/c/z.

    • Change Type: Select one or more change types that you want to watch for the file or directory: Create, Write, Delete, Rename, or Permission.
  5. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions sections to add path inclusions and exclusions.

    Click Add in the corresponding section to add additional input fields where you can specify more path inclusions or exclusions.

    You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

    When you use wildcards in a path inclusion or exclusion, they match zero or more characters if you use the * wildcard or exactly one character if you use the ? wildcard, which includes path separators (/ on Linux or \ on Windows). For example, if the path is /a and an inclusion is */z, this inclusion matches /a/b/z, /a/b/c/z, or /a/b/c/d/e/f/g/z.

    For more information, see Reference: Watchlist path inclusions and exclusions.

  6. Click Add Path to save your changes.

Import a path

You can add paths to a watchlist by importing them from a file that you configured with another monitoring tool or a template that is provided with Integrity Monitor.

  1. Select Watchlists from the Integrity Monitor menu.
  2. On the Watchlists page, click the name of the watchlist.

Add paths from a file

Tanium currently provides limited support for importing paths from Tripwire configuration, OSSEC configuration, LCE Client policy, or CSV files. An example of a Tanium CSV file is shown in the subsequent section.

Click Add Paths > Import From File and browse to the file on your computer. Click Import.

Example Tanium CSV file used to import paths

This CSV file is an example of the style to use to import paths to Integrity Monitor. The first line specifies the column name and defines the order of the values in the subsequent rows.

path,ops_create,ops_delete,ops_write,ops_rename,ops_permission,excludes_spec
C:\autoexec.bat,on,on,on,on,on,
C:\Windows\logs,on,on,on,on,off,\*
C:\Windows,on,on,on,on,on,NtServicePackUninstall
,,,,,,NtServicePackUninstall\*
,,,,,,NtUninstall
,,,,,,NtUninstall\*
,,,,,,Help
,,,,,,Help\*
C:\Windows\assembly,on,on,on,on,on,\*

C:\autoexec.bat,on,on,on,on,on,

In the preceding CSV example, this line adds a path, C:\autoexec.bat, and enables all of the supported change types (create, delete, write, rename, permission).

C:\Windows\logs,on,on,on,on,off,\*

In the preceding CSV example, this line adds a path, C:\Windows\logs, and enables the create, delete, write, rename change types. It does not enable the permission change type. It adds one exclusion (\*). With this configuration, only the watchlist path itself is watched. C:\Windows\logs is watched, but nothing below that directory.

C:\Windows,on,on,on,on,on,NtServicePackUninstall
,,,,,,NtServicePackUninstall\*
,,,,,,NtUninstall
,,,,,,NtUninstall\*
,,,,,,Help
,,,,,,Help\*

In the preceding CSV example, these lines add a path, C:\Windows, enable all of the supported change types (create, delete, write, rename, permission), and add three directory exclusions (NtServicePackUninstall, NtUninstall, and Help). This line: ,,,,,,NtUninstall excludes the directory itself. This line: ,,,,,,NtUninstall\* excludes everything below that directory.

C:\Windows\assembly,on,on,on,on,on,\*

In the preceding CSV example, this line adds a path, C:\Windows\assembly, and enables all of the supported change types (create, delete, write, rename, permission). It adds one file exclusion (\*). With this configuration, only the watchlist path itself is watched. C:\Windows\assembly is watched, but nothing below that directory.

Add paths from a template

Integrity Monitor includes watchlist templates that contain critical files and directories that are typically watched for Windows and Linux.

Click Add Paths > Import From Template and select one or more templates. Click Import.

Edit a path

Edit a path to customize the types of changes that are watched on files. You can also add path inclusions or exclusions.

  1. On the Watchlists page, click the name of the watchlist.
  2. Select the path and click Edit Path.
  3. In the Details section, modify the fields as needed:
    • Path: Specify the absolute path for the file or directory.

      You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

      When you define a path, you can use the wildcards within a directory or file name, but you cannot use them to specify multiple directory levels. This usage is different from wildcard usage in a path inclusion or exclusion. For example, if you have a path /a/*/z, this path matches a/b/z, but not a/b/c/z.

    • Change Type: Select one or more change types that you want to watch for the file or directory: Create, Write, Delete, Rename, or Permission.

      You can also modify the Change Type from the watchlist details page. Select one or more paths and click Manage Change Type. Make the necessary changes and click Save.

  4. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions sections to add, modify, or delete path inclusions and exclusions.
    • Click Add in the corresponding section to add additional input fields where you can specify more path inclusions or exclusions.

      You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

      When you use wildcards in a path inclusion or exclusion, they match zero or more characters if you use the * wildcard or exactly one character if you use the ? wildcard, which includes path separators (/ on Linux or \ on Windows). For example, if the path is /a and an inclusion is */z, this inclusion matches /a/b/z, /a/b/c/z, or /a/b/c/d/e/f/g/z.

    • Modify existing inclusions and exclusions by updating the entry.
    • Click Delete to delete an existing path inclusion or exclusion.
  5. Click Save Path to save your changes.

See Permission recording for special procedures to monitor permission event types for Windows recorder.

Filter paths

Use the Filter by name field on the watchlist details page to only show paths with that text in the path name.

  • Update the change types to watch for the paths by selecting one or more paths. Click Manage Change Type. Make the necessary changes and click Save.
  • Delete the paths by selecting one or more paths. Click Delete .

Delete the text in the Filter by Text field to return to the full list of paths.

Export and import watchlists

You can export a watchlist if, for example, you created the watchlist in your QA or lab environment and you want to move it to your production environment. You might also want to export watchlists as a backup.

To export a watchlist, open the watchlist and click Export to export that watchlist.

To import a watchlist, click Import Watchlist on the Watchlists page and then select the watchlist file in the Import Watchlist window. Click Import to import the file.

Last updated: 1/2/2020 4:28 PM | Feedback