Configuring watchlists

Watchlists define a set of files, directories, and Windows registry paths that you want to monitor for changes.

Integrity Monitor includes watchlist templates that contain critical files and directories that are typically monitored for Windows and Linux, and registry paths that are typically monitored for Windows. Create your own watchlists, or create watchlists from the included templates and then add or remove paths to tailor the watchlists to your environment.

You can configure each path in a watchlist to trigger events for specific change types: create, write, delete, or rename. For file paths, you can trigger events for changes to permission.

On Windows endpoints, the Audit File System permission must be configured in order to record permission changes. For more information, see Prepare EndpointsPrepare Endpoints.

Create a watchlist

  1. From the Integrity Monitor menu, go to Watchlists.
  2. Click Create Watchlist.
  3. Enter a Name and Description for the new watchlist.

    Name the watchlist based on the application, business unit, or compliance standard you want to monitor.

  4. For Path Style, select Windows or Unix.

    The target endpoint operating system and path style must be consistent within a watchlist. For example, you cannot add a Windows file path or a Windows registry path to a watchlist that uses the Unix path style.

  5. (Optional) In the Watchlist Templates section, select templates from which to add initial paths to the watchlist.

    Use a template as a starting point, and modify the watchlist to suit the needs of your environment. Monitors that use the default watchlists from the included templates might record a significant number of events that are not necessarily cause for concern.

  6. Click Create.

Add and edit paths

After you create a watchlist, you add paths to determine the files, directories, and Windows registry paths that are monitored. If you used a template when creating a watchlist, you can edit the paths that were defined in the template.

Paths, inclusions, and exclusions

The paths you add to a watchlist determine the files, directories, and registry paths that are monitored on endpoints where the watchlist is deployed. You can use wildcard characters within a directory, file, registry key, or registry value name in a path. You cannot use wildcard characters to specify path separators, or multiple directories, or multiple key levels.

To refine the files, directories, and registry paths that are monitored for a watchlist, add path inclusions or path exclusions. Without inclusions or exclusions defined, all files and directories in a file path or all keys and values in a registry path are monitored for the configured change types.

If you define path inclusions, only directories, files, registry keys, or registry values that match the inclusions are monitored.

If you define path exclusions, directories, files, registry keys, and registry values that match the exclusions are not monitored.

Exclusions take precedence over inclusions. If you define both inclusions and exclusions, all directories, files, registry keys, or registry values that match the inclusions are monitored, except those that match exclusions.

You can use wildcard characters in inclusions or exclusions, and, unlike wildcard characters in paths, they can represent path separators.

For more information and examples, see Reference: Watchlist path inclusions and exclusions.

Be specific when defining watchlists. For example, watching the C:\ or / directories on endpoints results in a large number of events that are not cause for concern. To help focus on events of concern, follow these guidelines:

  • When possible, add multiple specific file paths instead of a single directory path. Add multiple specific registry subkey paths instead of higher-level registry keys.
  • If you add a directory path, add inclusions for specific file types to watch, such as *.exe and *.dll.
  • Create multiple focused watchlists for different types of applications, software components, system configuration areas, or compliance standards. For example, if you need to monitor critical operating system files for Windows, and SQL Server critical files, directories, and registry entries, create separate watchlists for Windows and SQL Server. You can reuse these watchlists in multiple monitors for different monitoring needs.

Rely primarily on inclusions, and try to limit the number of exclusions for cleaner watchlists and more predictable monitoring.

Add a file path

Add file paths to a watchlist to define the files and directories that you want to monitor for changes on certain endpoints.

  1. Go to Watchlists > watchlist name.
  2. (For WIndows watchlist path style) Make sure the File Paths tab is active.
  3. Click Add Paths > New.
  4. In the Details section, provide the information for the path:
    • Enter the absolute path for the file or directory.

      You can use an asterisk (*) wildcard character to match any number of any characters or a question mark (?) wildcard character to match any single character.

      You can use wildcard characters within a directory or file name in a path, but you cannot use wildcard characters to specify path separators or multiple directory levels. (This usage differs from wildcard character usage in path inclusions or exclusions.)

      For example, if you specify the path /a/*/z, the path a/b/z is monitored, but not a/b/c/z.

    • In the Change Type section, select one or more change types that you want to monitor for the file or directory. The available change types are Create, Write, Delete, Rename, and Permission.

  5. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions section to add path inclusions or exclusions.

    You can use an asterisk (*) wildcard character to match any number of any characters or a question mark (?) wildcard character to match any single character.

    Wildcard characters that are used in a path inclusion or exclusion also match path separators (/ on Linux or \ on Windows). For example, if the path is /a and an inclusion is */z, this inclusion matches /a/b/z, /a/b/c/z, or /a/b/c/d/e/f/g/z.

    For more information and examples, see Reference: Watchlist path inclusions and exclusions.

    To add an additional path inclusion or exclusion, click Add in the corresponding section.

    To delete an inclusion or exclusion, click .

  6. Click Add Path.

(Windows) Add a registry path

Add registry paths to a watchlist to define the registry keys and values that you want to monitor for changes on certain endpoints. Registry paths are available for watchlists with a Windows path style only.

  1. Go to Watchlists > watchlist name. Click the Registry Paths tab.
  2. Click Add Paths > New.
  3. In the Details section, provide the information for the path:
    • Enter the absolute path for the registry key or value.

      You can use an asterisk (*) wildcard character to match any number of any characters or a question mark (?) wildcard character to match any single character.

      You can use wildcard characters within a key name or value name in a path, but you cannot use them to specify path separators or multiple key levels. (This usage is different from wildcard character usage in path inclusions or exclusions.) For example, if you have a path HKEY_LOCAL_MACHINE\*\z, the path HKEY_LOCAL_MACHINE\a\z is monitored, but not HKEY_LOCAL_MACHINE\a\b\z.

      For additional considerations for registry paths, see Considerations for registry paths.

    • In the Change Type section, select one or more change types that you want to monitor for the registry path. The available change types are Create, Write, Delete, and Rename.

  4. In the Inclusions and Exclusions section, expand the Path Inclusions or Path Exclusions section to add path inclusions or exclusions.

    You can use an asterisk (*) wildcard character to match any number of any characters or a question mark (?) wildcard character to match any single character.

    Wildcard characters used in a path inclusion or exclusion also match path separators (\). For example, if the path is HKEY_LOCAL_MACHINE\a and an inclusion is *\z, this inclusion matches HKEY_LOCAL_MACHINE\a\b\z, HKEY_LOCAL_MACHINE\a\b\c\z, or HKEY_LOCAL_MACHINE\a\b\c\d\e\f\g\z.

    For more information, see Reference: Watchlist path inclusions and exclusions.

    To add an additional path inclusion or exclusion, click Add in the corresponding section.

    To delete an inclusion or exclusion, click .

  5. Click Add Path.

Considerations for registry paths

Determining watched subkeys and values

All subkeys and values under a key or keys specified by the path are included by default. For example, if you specify the path HKEY_LOCAL_MACHINE\a, then all values of the a key, all subkeys of the a key (such as HKEY_LOCAL_MACHINE\a\x, HKEY_LOCAL_MACHINE\a\y, and HKEY_LOCAL_MACHINE\a\z), and all values of those subkeys are also watched, unless you otherwise exclude them.

You cannot monitor an entire subtree, such as HKEY_LOCAL_MACHINE.

Specifying a value

To specify a value under a registry key, use a double-backslash separator (\\). For example, to specify the path to the Start value under the TermService key, enter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\\Start. If you specify a value, then only the value is watched, not the key specified in the path or any subkeys.

To specify the default value of a registry key, include only the double-backslash separator (\\), and no value name. For example, to specify the default value of the IEXPLORE.EXE key, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\\.

Also keep in mind that value names can contain backslashes. Any backslashes included in the path after a double-backslash are interpreted as part of the value name. For example, the path HKEY_LOCAL_MACHINE\MyKey\\\My\Value specifies the value name \My\Value under the HKEY_LOCAL_MACHINE\MyKey key.

Using an abbreviation for a subtree

You can use the abbreviation for the subtree in a path. The subtree name is expanded when you save your changes. For example, you can enter the path HKLM\MyKey, which is saved as HKEY_LOCAL_MACHINE\MyKey.

Subtree name Abbreviation
HKEY_CLASSES_ROOT HKCR
HKEY_CURRENT_USER HKCU
HKEY_LOCAL_MACHINE HKLM
HKEY_USERS HKU
HKEY_CURRENT_CONFIG HKCC
Using the HKEY_CURRENT_USER subtree in a path

When you add a path in the HKEY_CURRENT_USER subtree, such as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy, the HKEY_CURRENT_USER subtree in the path is changed to HKEY_USERS\* when you save your changes (for example, HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Group Policy). Because the Tanium Client uses the SYSTEM account, the HKEY_CURRENT_USER subtree applies to the SYSTEM account rather than the end user. Using HKEY_USERS\* instead lets Integrity Monitor record events for all users, including the end user currently logged into Windows.

Using a redirected registry key in a path

For 64-bit Windows, some registry keys, such as HKEY_LOCAL_MACHINE\SOFTWARE\, are redirected to a WOW6432Node subkey (for example, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node) for use by 32-bit applications. When you add key paths that are redirected under WOW64, the parallel key paths under the WOW6432Node keys are not automatically watched. If you want to monitor keys under these paths, you must enter them separately.

Import a path

You can import paths to a watchlist from a file that you created in another monitoring tool, or from a template that is provided with Integrity Monitor.

Add paths from a file

Tanium provides limited support for importing paths from Tripwire configurations, Open Source HIDS Security (OSSEC) configurations, Log Correlation Engine (LCE) Client policies, or CSV files. An imported file can contain either file and directory or registry paths.

In Integrity Monitor 2.6.2 and later, use a backslash (\) to escape backslashes in Windows paths. In versions earlier than 2.6.2, do not escape backslashes in Windows paths.

Use a backslash (\) to escape backslashes in Windows paths.

  1. From the details page for a watchlist, click Add Paths > Import From File.
  2. Click Choose Files.
  3. Browse to and select the path file or files and click Open.
  4. Click Import to import the file or files.
CSV format for path imports

The first line of a CSV file specifies the field names and defines the order of the values in the subsequent rows. The following fields are used in the import:

Field Description
path The file, directory, or registry path
ops_create Whether to monitor the path for create actions (on or off)
ops_delete Whether to monitor the path for delete actions (on or off)
ops_write Whether to monitor the path for write actions (on or off)
ops_rename Whether to monitor the path for rename actions (on or off)
ops_permission Whether to monitor the path for changes in permission (on or off)
excludes_spec An exclusion to apply to the path

You can add additional exclusions to a path by adding subsequent lines with all fields empty except for excludes_spec. These lines inherit the blank field values from the parent entry.

The following example CSV file demonstrates the structure to use to import paths to Integrity Monitor.

path,ops_create,ops_delete,ops_write,ops_rename,ops_permission,excludes_spec
C:\\autoexec.bat,on,on,on,on,on,
C:\\Windows\\logs,on,on,on,on,off,\\*
C:\\Windows,on,on,on,on,on,NtServicePackUninstall
,,,,,,NtServicePackUninstall\\*
,,,,,,NtUninstall
,,,,,,NtUninstall\\*
,,,,,,Help
,,,,,,Help\\*
C:\\Windows\\assembly,on,on,on,on,on,\\*

In the preceding example, the following line adds the path C:\autoexec.bat and enables all of the supported change types:

C:\\autoexec.bat,on,on,on,on,on,

The following line adds the path C:\Windows\logs and enables the create, delete, write, rename change types, but not the permission change type, and it adds the exclusion \*, which excludes any subdirectories within C:\Windows\logs:

C:\\Windows\\logs,on,on,on,on,off,\\*

The following lines add the path C:\Windows and enable all of the supported change types, and adds exclusions for three directories and their subdirectories, (NtServicePackUninstall, NtUninstall, and Help).

C:\\Windows,on,on,on,on,on,NtServicePackUninstall
,,,,,,NtServicePackUninstall\\*
,,,,,,NtUninstall
,,,,,,NtUninstall\\*
,,,,,,Help
,,,,,,Help\\*

The following line adds the path C:\Windows\assembly and enables all of the supported change types, as well as adding the exclusion \*.

C:\\Windows\\assembly,on,on,on,on,on,\\*

Add paths from a template

Integrity Monitor includes watchlist templates that contain critical files and directories that are typically watched for Windows and Linux. While you can use these templates when creating new watchlists, you can also use them to add paths to existing watchlists.

  1. From the details page for a watchlist, click Add Paths > Import From Template.
  2. Select one or more templates and click Import.

Use a template as a starting point, and modify the watchlist to suit the needs of your environment. Monitors that use the default watchlists from the included templates might record a significant number of events that are not necessarily cause for concern.

Update change types for multiple paths

  1. From the details page for a watchlist, select one or more paths.
  2. Click Manage Change Type.
  3. Select the appropriate change types and click Save.

What to do next

Create a monitor to deploy the watchlist to endpoints and record events for the paths defined in the watchlist. For more information, see Working with monitors.

Filter watchlists and view details

  • On the Watchlists page, you can use the Filter by name box to filter watchlists by name.
  • To view the monitors where the watchlist is used from the Watchlists page, click Expand for the watchlist.
  • To view paths for a watchlist, click the name of the watchlist. From the details page for the watchlist, click Expand for a path to view inclusions and exclusions for that path.
  • From the details page for a watchlist, you can use the Filter Items box to filter the paths that are shown.

Export and import watchlists

You can export a watchlist to transfer it to another environment (for example, if you created the watchlist in a QA or lab environment and you want to move it to a production environment) or for backup.

Export a watchlist

  1. From the Watchlists page, click the name of a watchlist to open the detail page for that watchlist.
  2. Click Export Watchlist .

    The exported watchlists downloads in your browser in JSON format.

Import a watchlist

  1. From the Watchlists page, click Import Watchlist .

  2. Click Choose File.
  3. Browse to the watchlist file and click Open.
  4. Click Import to import the file.