Managing scan settings with monitors

Use monitors to define scan settings for the endpoints in a targeted computer group. A monitor can be deployed to multiple computer groups.

Each endpoint that you target in a watchlist must also be targeted in a monitor for the watchlist to take effect when you deploy watchlists and monitors. To identify endpoints to which you have deployed a monitor but no watchlists, ask the question: Get Computer Name and Client Extensions - Status matches "^integrity_monitor\|monitor_id\|[^0].*$" and Integrity Monitor - Active Watchlists from all machines with ( Client Extensions - Status matches "^integrity_monitor\|.*$" and Integrity Monitor - Active Watchlists contains No Results Found ). For more information about watchlists, see Managing watched paths with watchlists.

Create or edit a monitor

  • Create as few monitors as possible, and target those monitors as broadly as possible. Create additional monitors only to accommodate different scan settings, scan intervals, or rules.
  • When possible, avoid targeting different monitors to computer groups that contain some of the same endpoints. One monitor is deployed to each endpoint. You can prioritize monitors when computer groups overlap, but it is better to create non-overlapping computer groups to use with monitors for a more predictable deployment.
  • Name each monitor based on the operating system, business unit, or application group for which you are configuring scan settings.
  • Select the Collect process and user attribution information option to record real-time events and attribution data. This option subscribes the watchlist items to Tanium Recorder, and Tanium Index handles the items as high priority paths.
  1. From the Integrity Monitor menu, go to Monitors.
  2. Click Create Monitor, or click Edit in the row for an existing monitor that you want to edit.

  3. In the Summary section, enter a Name and Description for the monitor.

  4. (Optional) For Monitor Pruning Age, configure the time that Integrity Monitor should keep each event that the monitor records in the database.

    The Monitor Pruning Age determines how long Integrity Monitor stores events in the endpoint database. Auditing this database requires the assistance of Tanium Support. You can adjust this setting to meet the requirements of any applicable compliance standards and manage the database size on endpoints, but do not set it lower than 250 hours. When asking questions using Integrity Monitor sensors, you can view events as old as 250 hours.

  5. (Optional) For Database Maximum Size, enable and configure the maximum size in megabytes of the endpoint database.

    The endpoint attempts to prune the database after it reaches the Database Maximum Size, or if an event reaches the Monitor Pruning Age, whichever occurs first. If the endpoint prunes the database due to reaching the Database Maximum Size, but pruned events are not older than the Monitor Pruning Age, a health check runs because the Integrity Monitor data is incomplete and cannot be recovered.

    For the best results, work with Tanium Support to monitor the Integrity Monitor database before implementing size restrictions.

  6. To record real-time change events, such as create, write, delete, or rename operations, select Collect process and user attribution information. This method records the specific operation, as well as the associated user or process path.

    • This setting applies only to Windows and Linux endpoints. Solaris and AIX endpoints perform only hash monitoring, regardless of this setting.

    • If you disable this setting, the following behaviors apply:

      • Integrity Monitor records a rename operation as a delete operation followed by a create operation. On Solaris and AIX endpoints, Integrity Monitor always records a rename operation as a delete operation followed by a create operation.
      • Integrity Monitor does not return modifications to registry values as events. Create and delete operations are still recorded for individual registry values, regardless of this setting.
  7. For Index First Scan Distribute Over Time, configure the time over which to randomize the first file index scan on targeted endpoints. Randomizing this scan over a period of time helps balance resource use.

  8. For Index Scan Frequency, configure the interval between subsequent file index scans for all watchlists. This configuration acts as a fail-safe in case Tanium Recorder is unavailable. If another solution also uses Index, Integrity Monitor and the other solution maintain separate subscription and scan schedules.

    If the scan takes longer than the interval configured for this setting on an endpoint, the endpoint returns Scan completion took longer than configured scan interval from the Client Extensions - Status sensor and appears in the Endpoint Health panel on the Integrity Monitor Overview page. To resolve this condition, make sure that the endpoint meets the minimum system requirements for Integrity Monitor, and adjust this setting as necessary.

  9. In the Targeting section, click Select Computer Groups, select the computer groups to target, and click Save. For more information about computer groups, see Tanium Platform User Guide: Managing Computer Groups.

  10. Click Create (for a new monitor) or Save (for an existing monitor).
  11. After you create or edit a monitor, you must deploy all monitors. See Deploy monitors. If you are using rules, you must also redeploy all rules. See Deploy rules.

When you first deploy a monitor with the Collect process and user attribution information option enabled, Integrity Monitor installs the Tanium Driver on targeted Windows endpoints, unless another Tanium solution has already installed the driver. After the driver is first installed on a targeted endpoint, you must reboot that endpoint before Integrity Monitor can record process and user information associated with file and registry operations.

Prioritize monitors

One monitor is deployed to each endpoint. If an endpoint belongs to the targeted computer groups for two or more monitors, the monitor priority list determines which monitor is deployed to the endpoint.

When possible, avoid targeting different monitors to computer groups that contain some of the same endpoints. One monitor is deployed to each endpoint. You can prioritize monitors when computer groups overlap, but it is better to create non-overlapping computer groups to use with monitors for a more predictable deployment.

  1. From the Integrity Monitor menu, go to Monitors.
  2. Click Prioritize.
  3. Drag monitors into the order you want to prioritize them, or click Move to Position in the row for a monitor you want to reorder, enter the new position, and click Move. After you have reordered the monitors, click Save.

  4. After you re-prioritize, you must deploy all monitors. See Deploy monitors.

Deploy monitors

After you create, edit, reprioritize, or delete monitors, you must deploy all monitors to the endpoints. A Deploy Now banner appears, and Pending Deployment (new monitors), Pending Deployment (changed monitors), or Pending Deletion (deleted monitors) appears in the Status column for the monitor on the All Monitors page.

If you have more than one monitor, all monitors are deployed each time you deploy monitors.

When you deploy a monitor, you deploy all monitors. When you take an action on monitors (such as creating, modifying, or reprioritizing monitors) you are prompted to deploy all monitors. For best results, create all planned monitors, and then deploy them at the same time. If you deploy a monitor with restricted management rights, the set of management rights is applied to all deployed monitors. The monitor or Integrity Monitor tools are removed from any endpoints that are not a member of the updated computer management group.

You cannot deploy monitors to endpoints with action locks turned on.on, unless Endpoint Configuration is configured to ignore action locks. For more information, see Install and configure Tanium Endpoint Configuration and Tanium Console User Guide: Managing action locks.

  1. Click Deploy Now in the banner or Deploy All Monitors on the All Monitors page.
  2. Confirm the deployment. If you have more than one monitor, all monitors are deployed.
  • If you enabled Endpoint Configuration approval, monitor deployment must be approved in Endpoint Configuration before monitors deploy to endpoints.
  • If you delete a monitor, any rules assigned only to that monitor are automatically deleted from the Integrity Monitor workbench. The rules are no longer active on endpoints, but they are not removed from endpoints. Therefore, you will not see an approval in Endpoint Configuration.
  • Monitors automatically redeploy when Integrity Monitor is upgraded in Tanium™ Cloud, which could occur without prior notice. If you have not yet deployed a newly created monitor, it is automatically deployed if the module is upgraded before you manually deploy it.
  • If you delete a monitor, any rules assigned only to that monitor are automatically deleted from the Integrity Monitor workbench. The rules are no longer active on endpoints, but they are not removed from endpoints.

Check the status of deployed monitors

To check the status of deployed monitors on endpoints, ask the question: Get Integrity Monitor - Tools Version and Computer name from all machines.

For information about any error messages returned by the question, see Troubleshooting Integrity Monitor.