Working with watchlists

Create a watchlist to define a set of files and/or directories you want to monitor for any changes.

Create a new watchlist

  1. Select Watchlists from the left navigation menu.
  2. On the Watchlists page, click Create a New Watchlist.
  3. In the Details section, enter a Name and Description for the new watchlist.
  4. Select a Target OS from the drop-down list.
  5. Integrity Monitor ships with ready-to-use watchlist templates that contain critical files and directories that are typically monitored for Windows and Linux. In the Templates section, click add to add a template to the new watchlist.
  6. Click Create. When you go to Watchlists in the main menu, you will see the new watchlist listed. On the Watchlists page, you can select watchlists in bulk and use the Filter by name field to filter watchlists. Click the name of a watchlist on the Watchlists page to view the files and directories it includes.




The target operating system and paths must be consistent within a watchlist. For example, you cannot add a Windows path to a watchlist targeting a Linux operating system.

Edit a watchlist

  1. On the Watchlists page, click on a watchlist
  2. Click Edit in the top right corner.
  3. In the Edit Watchlist window, you can modify the Name, Description or Target OS for that watchlist.
If you change the Target OS for a watchlist, you will be prompted that all added paths will be removed once you confirm the change.

To customize the types of changes monitored on files in a directory listed in a watchlist or to add file exclusions for that directory:

  1. Select the path to modify and click Edit Path.
  2. In the Edit Path window, click to select or remove the type of change you want to monitor on that path in for Change Type.

See Permission recording for special procedures to monitor permission event types for Windows recorder.

View watchlist details

To view the details for a watchlist, on the Watchlists page, click the watchlist you want to view and click Expand next to the path.

The details you see for a watchlist depend on the role you are assigned in Integrity Monitor.

Add new paths

  1. Click Add Paths at the top of the screen listing the files/directories for a watchlist.
  2. Select New and provide the new path and the types of changes you want to monitor on that path.
  3. Click Add Path. The path will appear in the list of files/directories for that watchlist.
  4. In the Exclusions section of the Add Path window, you can also choose to exclude a specific sub-directory path or file by clicking + Add Exclusion and providing the path and path type. You can use a wildcard (*) when defining file path type exclusions.

To add paths by importing them from files you have already configured for another monitoring tools:

  1. Under Add Path, select Import From File and choose the appropriate file. Tanium currently provides limited support for importing paths from Tripwire configuration files, OSSEC configuration files, Tenable LCE policy files, and Tanium CSV files. An example of a Tanium CSV file is shown below.
  2. Click Upload.

You can also add paths from templates by selecting Import From Template under Add Paths.

Example Tanium CSV file used to import paths

path,ops_create,ops_delete,ops_write,ops_rename,ops_permission,excludes_type,excludes_spec
C:\autoexec.bat,on,on,on,on,,
C:\Windows,on,on,on,on,directory,NtServicePackUninstall
,,,,,,directory,NtUninstall
,,,,,,directory,Help
C:\Windows\assembly,on,on,off,off,on,file,*

C:\autoexec.bat,on,on,on,on,,

Will add a path “C:\autoexec.bat” that will turn on all of the supported event types (create, delete, write, rename).

C:\Windows,on,on,on,on,directory,NtServicePackUninstall
,,,,,directory,NtUninstall
,,,,,directory,Help

Will add a path “C:\Windows” that will turn all of the supported event types (create, delete, write, and rename) and adds 3 directory exclusions (NtServicePackUninstall, NtUninstall, and Help).

C:\Windows\assembly,on,on,off,off,file,*

Will add a path “C:\Windows\assembly” that will turn on create and delete event types and adds 1 file exclusion (*).

Filter files and directory paths

  1. Use the Filter by name field at the top right of the page listing the files/directories for a Watchlist to show directories only with that text in the path name.
  2. You can delete the filtered directories in bulk or change the types of changes being monitored for files in those directories by selecting all.
  3. Delete the text in the Filter by Text field to return to the full list of files/directories.

Export and import watchlists

You can export a watchlist if, for example, you created the watchlist in your QA/lab environment and you want to move it to your production environment, or for backup purposes.

To export a watchlist, select a watchlist and click Export at the top right of the Watchlists page to export that watchlist.

To import the watchlist, click Import at the top right of the Watchlists page and then select the watchlist file in the Import Watchlist window.

Last updated: 4/10/2018 4:30 PM | Feedback