Working with watchlists
Create a watchlist to define a set of files and/or directories you want to monitor for any changes.
- Select Watchlists from the Integrity Monitor menu.
- On the Watchlists page, click Create a New Watchlist.
- In the Details section, enter a Name and Description for the new watchlist.
- Select a Path Style from the drop-down list.
- Integrity Monitor ships with ready-to-use watchlist templates that contain critical files and directories that are typically monitored for Windows and Linux. In the Templates section, click add to add a template to the new watchlist.
- Click Create. When you go to Watchlists in the Integrity Monitor menu, you will see the new watchlist listed. On the Watchlists page, you can select watchlists in bulk and use the Filter by name field to filter watchlists. Click the name of a watchlist on the Watchlists page to view the files and directories it includes.
The target operating system and paths must be consistent within a watchlist. For example, you cannot add a Windows path to a watchlist targeting a Linux operating system.
- On the Watchlists page, click on a watchlist
- Click Edit in the top right corner.
- In the Edit Watchlist window, you can modify the Name, Description or Target OS for that watchlist.
To customize the types of changes monitored on files in a directory listed in a watchlist or to add file exclusions for that directory:
- Select the path to modify and click Edit Path.
- In the Edit Path window, click to select or remove the type of change you want to monitor on that path in for Change Type.
See Permission recording for special procedures to monitor permission event types for Windows recorder.
The details you see for a watchlist depend on the role you are assigned in Integrity Monitor.
- Click Add Paths at the top of the screen listing the files/directories for a watchlist.
- Select New and provide the new path and the types of changes you want to monitor on that path.
- Click Add Path. The path will appear in the list of files/directories for that watchlist.
- In the Exclusions section of the Add Path window, you can also choose to exclude a specific sub-directory path or file by clicking + Add Exclusion and providing the path and path type. You can use a wildcard (*) when defining file path type exclusions.
To add paths by importing them from files you have already configured for another monitoring tools:
- Under Add Path, select Import From File and choose the appropriate file. Tanium currently provides limited support for importing paths from Tripwire configuration files, OSSEC configuration files, Tenable LCE policy files, and Tanium CSV files. An example of a Tanium CSV file is shown below.
- Click Upload.
You can also add paths from templates by selecting Import From Template under Add Paths.
Example Tanium CSV file used to import paths
Will add a path “C:\autoexec.bat” that will turn on all of the supported event types (create, delete, write, rename).C:\Windows,on,on,on,on,directory,NtServicePackUninstall
Will add a path “C:\Windows” that will turn all of the supported event types (create, delete, write, and rename) and adds 3 directory exclusions (NtServicePackUninstall, NtUninstall, and Help).
Will add a path “C:\Windows\assembly” that will turn on create and delete event types and adds 1 file exclusion (*).
- Use the Filter by name field at the top right of the page listing the files/directories for a Watchlist to show directories only with that text in the path name.
- You can delete the filtered directories in bulk or change the types of changes being monitored for files in those directories by selecting all.
- Delete the text in the Filter by Text field to return to the full list of files/directories.
You can export a watchlist if, for example, you created the watchlist in your QA/lab environment and you want to move it to your production environment, or for backup purposes.
Last updated: 9/5/2018 9:52 AM | Feedback