Working with watchlists

Create a watchlist to define a set of files and/or directories you want to monitor for any changes.

Create a new watchlist

  1. Select Watchlists from the Integrity Monitor menu.
  2. On the Watchlists page, click Create a New Watchlist.
  3. In the Summary section, enter a Name and Description for the new watchlist.
  4. Select a Path Style.
  5. Integrity Monitor ships with ready-to-use watchlist templates that contain critical files and directories that are typically monitored for Windows and Linux. In the Watchlist Templates section, select a template to add it to the new watchlist.
  6. Click Create. When you go to Watchlists in the Integrity Monitor menu, you will see the new watchlist listed. On the Watchlists page, you can select watchlists in bulk and use the Filter by name field to filter watchlists. Click the name of a watchlist on the Watchlists page to view the files and directories it includes.

The target operating system and paths must be consistent within a watchlist. For example, you cannot add a Windows path to a watchlist targeting a Linux operating system.

Edit a watchlist

  1. On the Watchlists page, click on a watchlist.
  2. Click Edit in the top right corner.
  3. In the Edit Watchlist window, you can modify the Name, Description or Path Style for that watchlist.
If you change the Path Style for a watchlist, you will be prompted that all added paths will be removed once you confirm the change.

To customize the types of changes monitored on files in a directory listed in a watchlist or to add file exclusions for that directory:

  1. Select the path to modify and click Edit Path.
  2. In the Change Type section of the Edit Path window, click to select or remove the type of change you want to monitor on that path.
  3. Click Update to save your changes.

See Permission recording for special procedures to monitor permission event types for Windows recorder.

View watchlist details

To view the details for a watchlist, on the Watchlists page, click the watchlist you want to view and click Expand next to the path.

The details you see for a watchlist depend on the role you are assigned in Integrity Monitor.

Add new paths

  1. Click Add Paths at the top of the screen listing the files/directories for a watchlist.
  2. Select New and provide the new path and the types of changes you want to monitor on that path.
  3. Click Add Path. The path will appear in the list of files/directories for that watchlist.
  4. In the Exclusions section of the Add Path window, you can also choose to exclude a specific sub-directory path or file by clicking + Add Exclusion and providing the path and path type. You can use a wildcard (*) when defining file path type exclusions.

To add paths by importing them from files you have already configured for another monitoring tool:

  1. Under Add Paths, select Import From File and choose the appropriate file. Tanium currently provides limited support for importing paths from Tripwire configuration files, OSSEC configuration files, Tenable LCE policy files, and Tanium CSV files. An example of a Tanium CSV file is shown below.
  2. Click Import.

You can also add paths from templates by selecting Import From Template under Add Paths.

Example Tanium CSV file used to import paths



Will add a path “C:\autoexec.bat” that will turn on all of the supported event types (create, delete, write, rename).


Will add a path “C:\Windows” that will turn all of the supported event types (create, delete, write, and rename) and adds 3 directory exclusions (NtServicePackUninstall, NtUninstall, and Help).


Will add a path “C:\Windows\assembly” that will turn on create and delete event types and adds 1 file exclusion (*).

Filter files and directory paths

  1. Use the Filter by name field at the top right of the page listing the files/directories for a watchlist to show directories with only that text in the path name.
  2. You can delete the filtered directories in bulk or change the types of changes being monitored for files in those directories by selecting all.
  3. Delete the text in the Filter by Text field to return to the full list of files/directories.

Export and import watchlists

You can export a watchlist if, for example, you created the watchlist in your QA/lab environment and you want to move it to your production environment, or for backup purposes.

To export a watchlist, open the watchlist and click Export at the top right of the page to export that watchlist.

To import the watchlist, click Import at the top right of the Watchlists page and then select the watchlist file in the Import Watchlist window. Click Import to import the file.

Last updated: 10/29/2019 4:39 PM | Feedback