Working with watchlists

Watchlists define a set of files, directories, and/or Windows registry paths that you want to watch for changes.

Integrity Monitor includes watchlist templates that contain critical files and directories that are typically monitored for Windows and Linux, and registry paths that are typically monitored for Windows.

You can create your own watchlists, or you can create watchlists from the included templates and then add or remove file and/or registry paths to watch.

Be specific when defining watchlists. For example, watching the C:\ or / directories on endpoints results in a large number of events that are not cause for concern. To help focus on events of concern, follow these guidelines:

  • When possible, add multiple specific file paths instead of a single directory path. Likewise, add multiple specific registry subkey paths instead of higher-level registry keys.
  • If you add a directory path, add inclusions for specific file types that should be watched, such as *.exe and *.dll.
  • Create multiple focused watchlists for different types of applications, software components, system configuration areas, and/or compliance standards for which you are monitoring. For example, if you need to monitor critical operating system files for Windows and critical files, directories, and registry entries for SQL Server, create a separate watchlist for Windows and SQL Server. You can reuse these watchlists in multiple monitors for different monitoring needs.

Path inclusions and exclusions

If needed, you can refine the paths in a watchlist by adding path inclusions or path exclusions.

If you define path inclusions, only directories and/or files in the file path or keys and/or values in the registry path that match the inclusion are monitored for the configured change types (create, write, delete, rename, or—for file paths only—permission). If you do not define any path inclusions, all files and directories in a file path or all keys and values in a registry path are watched for the configured change types.

If you define path exclusions, directories and/or files in the file path or keys and/or values in the registry path that match the exclusion are not watched.

If you define both, all directories and/or files in the file path or keys and/or values in the registry path are watched if they fall within one of the inclusion definitions for the path, unless they also fall within one of its exclusion definitions.

Use exclusions as necessary, but for cleaner watchlists and more predictable monitoring, rely primarily on inclusions, and limit the number of exclusions.

For more information, see Reference: Watchlist path inclusions and exclusions.

Inclusions and exclusions are not required for a path. You can define multiple inclusions or exclusions for a path. When you define path inclusions or exclusions, you can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character. Exclusions take precedence over inclusions.

Create a watchlist

  1. Select Watchlists from the Integrity Monitor menu.
  2. On the Watchlists page, click Create Watchlist.
  3. Enter a Name and Description for the new watchlist.

    Name the watchlist based on the application, business unit, and/or compliance standard you want to monitor.

  4. Select a Path Style: Unix or Windows.

    The target endpoint operating system and paths must be consistent within a watchlist. For example, you cannot add a Windows file path or a Windows registry path to a watchlist that uses the Unix path style.


  5. In the Watchlist Templates section, select any optional templates to use for the watchlist.
  6. Click Create.

You must create a monitor to deploy the watchlist to endpoints and record events for the paths defined in the watchlist. For more information, see Working with monitors.

View watchlist details

On the Watchlists page, you can use the Filter by name field to filter watchlists.

To view details and paths for a watchlist, click the name of the watchlist. Click Expand next to a path to view the details for that path.


The details you see for a watchlist depend on the role you are assigned in Integrity Monitor.

Edit a watchlist

  1. From the Integrity Monitor menu, select Watchlists.
  2. Click the name of the watchlist to open the watchlist details page.
  3. Click Edit.
  4. Edit the Name, Description or Path Style for the watchlist.

    If you change the Path Style for a watchlist, all existing paths are removed when you confirm the change.

  5. Click Save.

Add a file path

Add file paths to a watchlist to define the files and directories that you want to watch for changes.

  1. Select Watchlists from the Integrity Monitor menu.
  2. Click the name of the watchlist to open the watchlist details page.
  3. If the watchlist path style is Windows, select the File Paths tab. (Only file paths are available for watchlists with a Linux path style.)
  4. Click Add Paths > New.
  5. In the Details section, provide the information for the path:
    • Path: Specify the absolute path for the file or directory

      You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

      When you define a path, you can use the wildcards within a directory or file name, but you cannot use them to specify multiple directory levels. This usage is different from wildcard usage in path inclusions or exclusions. For example, if you have a path /a/*/z, this path matches a/b/z, but not a/b/c/z.

    • Change Type: Select one or more change types that you want to watch for the file or directory: Create, Write, Delete, Rename, or Permission.

  6. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions sections to add path inclusions and exclusions.

    Click Add in the corresponding section to add additional input fields where you can specify more path inclusions or exclusions.

    You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

    When you use wildcards in a path inclusion or exclusion, they match zero or more characters if you use the * wildcard or exactly one character if you use the ? wildcard, which includes path separators (/ on Linux or \ on Windows). For example, if the path is /a and an inclusion is */z, this inclusion matches /a/b/z, /a/b/c/z, or /a/b/c/d/e/f/g/z.

    For more information, see Reference: Watchlist path inclusions and exclusions.

  7. Click Add Path to save your changes.

Add a registry path

Add registry paths to a watchlist to define the registry keys and/or values that you want to watch for changes. Registry paths are available only for watchlists with a Windows path style.

  1. Select Watchlists from the Integrity Monitor menu.
  2. Click the name of the watchlist to open the watchlist details page.
  3. Click the Registry Paths tab.
  4. Click Add Paths > New.
  5. In the Details section, provide the information for the path:
    • Key Path: Specify the absolute path for the registry key or value.

      You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

      When you define a path, you can use the wildcards within a key name or value name, but you cannot use them to specify multiple key levels. This usage is different from wildcard usage in path inclusions or exclusions. For example, if you have a path HKEY_LOCAL_MACHINE\*\z, this path matches HKEY_LOCAL_MACHINE\a\z, but not HKEY_LOCAL_MACHINE\a\b\z.

      For additional considerations for registry paths, see Special considerations for registry paths.

    • Change Type: Select one or more change types that you want to watch for the file or directory: Create, Write, Delete, or Rename.

  6. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions sections to add path inclusions and exclusions.

    Click Add in the corresponding section to add additional input fields where you can specify more path inclusions or exclusions.

    You can use asterisk (*) wildcards to match any number of any character or a question mark wildcard (?) to match any one character.

    When you use wildcards in a path inclusion or exclusion, they match zero or more characters if you use the * wildcard or exactly one character if you use the ? wildcard, which includes path separators (\). For example, if the path is HKEY_LOCAL_MACHINE\a and an inclusion is *\z, this inclusion matches HKEY_LOCAL_MACHINE\a\b\z, HKEY_LOCAL_MACHINE\a\b\c\z, or HKEY_LOCAL_MACHINE\a\b\c\d\e\f\g\z.

    For more information, see Reference: Watchlist path inclusions and exclusions.

  7. Click Add Path to save your changes.

Special considerations for registry paths

All subkeys and values under a key or keys specified by the path are included by default. For example, if you specify the path HKEY_LOCAL_MACHINE\a, then all values of the a key, all subkeys of the a key (such as HKEY_LOCAL_MACHINE\a\x, HKEY_LOCAL_MACHINE\a\y, and HKEY_LOCAL_MACHINE\a\z), and all values of those subkeys are also watched, unless you otherwise exclude them.

To specify a value under a registry key, use a double-backslash separator (\\). For example, to specify the path to the Start value under the TermService key, enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\\Start. If you specify a value, then only the value is watched, not the key specified in the path or any subkeys.

To specify the default value of a registry key, include only the double-backslash separator (\\), and no value name. For example, to specify the default value of the IEXPLORE.EXE key, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\\.

Also keep in mind that value names can contain backslashes. Any backslashes included in the path after a double-backslash are interpreted as part of the value name. For example, the path HKEY_LOCAL_MACHINE\MyKey\\\My\Value specifies the value name \My\Value under the HKEY_LOCAL_MACHINE\MyKey key.

You can use the abbreviation for the subtree in a path. The subtree name is expanded when you save your changes. For example, you can enter the path HKLM\MyKey, which is saved as HKEY_LOCAL_MACHINE\MyKey.

Subtree name Abbreviation
HKEY_CLASSES_ROOT HKCR
HKEY_CURRENT_USER HKCU
HKEY_LOCAL_MACHINE HKLM
HKEY_USERS HKU
HKEY_CURRENT_CONFIG HKCC

When you add a path in the HKEY_CURRENT_USER subtree, such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy, the HKEY_CURRENT_USER subtree in the path is changed to HKEY_USERS\* when you save your changes (for example, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Group Policy). Because the Tanium Client uses the SYSTEM account, the HKEY_CURRENT_USER subtree applies to the SYSTEM account rather than the end user. Using HKEY_USERS\* instead lets Integrity Monitor record events for all users, including the end user currently logged into Windows.

For 64-bit Windows, some registry keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\, are redirected to a WOW6432Node subkey (for example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node) for use by 32-bit applications. When you add key paths that are redirected under WOW64, the parallel key paths under the WOW6432Node keys are not automatically watched. If you want to watch keys under these paths, you must enter them separately.

You cannot watch an entire subtree, such as HKEY_LOCAL_MACHINE.

Import a path

You can add paths to a watchlist by importing them from a file that you configured with another monitoring tool or a template that is provided with Integrity Monitor.

Add paths from a file

Tanium currently provides limited support for importing paths from Tripwire configuration, OSSEC configuration, LCE Client policy, or CSV files. An example of a Tanium CSV file is shown in the subsequent section.

In Integrity Monitor 2.6.2 and later, use a backslash (\) to escape backslashes in Windows paths. In versions earlier than 2.6.2, do not escape backslashes in Windows paths.

Use a backslash (\) to escape backslashes in Windows paths.

  1. From the watchlist details page, click Add Paths > Import From File.
  2. Click Choose Files.
  3. Browse to and select the path file or files and click Open.
  4. Click Import to import the file or files.

Example Tanium CSV file used to import paths

This CSV file is an example of the style to use to import paths to Integrity Monitor. The first line specifies the column name and defines the order of the values in the subsequent rows.

path,ops_create,ops_delete,ops_write,ops_rename,ops_permission,excludes_spec
C:\\autoexec.bat,on,on,on,on,on,
C:\\Windows\\logs,on,on,on,on,off,\\*
C:\\Windows,on,on,on,on,on,NtServicePackUninstall
,,,,,,NtServicePackUninstall\\*
,,,,,,NtUninstall
,,,,,,NtUninstall\\*
,,,,,,Help
,,,,,,Help\\*
C:\\Windows\\assembly,on,on,on,on,on,\\*
C:\\autoexec.bat,on,on,on,on,on,

In the preceding CSV example, this line adds a path, C:\autoexec.bat, and enables all of the supported change types (create, delete, write, rename, permission).

C:\\Windows\\logs,on,on,on,on,off,\\*

In the preceding CSV example, this line adds a path, C:\Windows\logs, and enables the create, delete, write, rename change types. It does not enable the permission change type. It adds one exclusion (\*). With this configuration, only the watchlist path itself is watched. C:\Windows\logs is watched, but nothing below that directory.

C:\\Windows,on,on,on,on,on,NtServicePackUninstall
,,,,,,NtServicePackUninstall\\*
,,,,,,NtUninstall
,,,,,,NtUninstall\\*
,,,,,,Help
,,,,,,Help\\*

In the preceding CSV example, these lines add a path, C:\Windows, enable all of the supported change types (create, delete, write, rename, permission), and add three directory exclusions (NtServicePackUninstall, NtUninstall, and Help). This line: ,,,,,,NtUninstall excludes the directory itself. The line ,,,,,,NtUninstall\\* excludes everything below that directory.

C:\\Windows\\assembly,on,on,on,on,on,\\*

In the preceding CSV example, this line adds a path, C:\Windows\assembly, and enables all of the supported change types (create, delete, write, rename, permission). It adds one file exclusion (\*). With this configuration, only the watchlist path itself is watched. C:\Windows\assembly is watched, but nothing below that directory.

Add paths from a template

Integrity Monitor includes watchlist templates that contain critical files and directories that are typically watched for Windows and Linux.

From the watchlist details page, click Add Paths > Import From Template. Select one or more templates and click Import.

Use a template as a starting point, and modify the watchlist to suit the needs of your environment. Monitors that use the default watchlists from the included templates might record a significant number of events that are not necessarily cause for concern. Consult your Technical Account Manager (TAM) for guidance in setting up watchlists and for support if you encounter issues.

Edit a path

Edit a path to customize the types of changes that are watched on files. You can also add path inclusions or exclusions.

  1. On the Watchlists page, click the name of the watchlist.
  2. If the watchlist path style is Windows, select the File Paths or Registry Paths tab, depending on which type of path you want to add. (Only file paths are available for watchlists with a Linux path style.)

  3. Select the path and click Edit Path.
  4. In the Details section, modify the fields as needed. For more information about the details of a path, see Add a file path or Add a registry path.
  5. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions sections to add, modify, or delete path inclusions and exclusions. For more information, see Reference: Watchlist path inclusions and exclusions.
  6. Click Save Path to save your changes.

See Permission recording for special procedures to monitor permission event types for Windows recorder.

You can update the monitored change types for multiple paths at the same time.

  1. Select one or more paths.
  2. Click Manage Change Type.
  3. Select or clear the check boxes for the appropriate change types and click Save.

Delete paths

From the watchlist details page, select one or more paths and click Delete .

Export and import watchlists

You can export a watchlist to transfer it to another environment (for example, if you created the watchlist in a QA or lab environment and you want to move it to a production environment) or for backup purposes.

Export a watchlist

  1. On the Watchlists page, click the name of the watchlist.
  2. Click Export.

    The exported watchlists downloads in your browser in JSON format.

Import a watchlist

  1. From the Watchlists page, click Import Watchlist.
  2. Click Choose File.
  3. Browse to the watchlist file and click Open.
  4. Click Import to import the file.