Succeeding with Integrity Monitor

Follow these best practices to achieve maximum value and success with Tanium Integrity Monitor. These steps align with the key benchmark metrics: increasing integrity monitor coverage and reducing unexpected changes per endpoint.

Steps to succeed with Integrity Monitor

Step 1: Gain organizational effectiveness

Step 1: Gain organizational effectiveness

Complete the key organizational governance steps to maximize Integrity Monitor value. For more information about each task, see Gaining organizational effectiveness.

Develop a dedicated change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional organizational alignment.

Track operational metrics.

Step 2: Install and configure Tanium modules

Install Tanium Client Management and Tanium Endpoint Configuration. See Tanium Client Management User Guide: Installing.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Install Tanium Connect. See Tanium Connect User Guide: Installing Tanium Connect.

Install Tanium Integrity Monitor. See Installing Integrity Monitor.

Step 3: Configure Integrity Monitor

Step 2: Configure Integrity Monitor

Configure the service account. See Configure the Integrity Monitor service account.

Create computer groups with dynamic membership. See Tanium Console User Guide: Create a computer group.

 

 

 

Import the Integrity Monitor board from the Trends initial gallery. See Tanium Trends User Guide: Importing the initial gallery. If you installed Trends using the Apply Tanium recommended configurations option, the Integrity Monitor board is automatically imported after the Integrity Monitor service account is configured.

Step 4: Set up monitors

Step 3: Set up monitors

Use monitors to determine scan settings and frequencies for groups of endpoints.

Create a monitor, naming it based on the operating system, business unit, or application group you want to monitor.

Enable the Collect process and user attribution information option for the best coverage of events.

Configure a Monitor Pruning Age that meets the requirements of any applicable compliance standards and manages the database size on endpoints.

Select the computer groups that contain the endpoints you want to monitor. Target the monitor as broadly as possible, such as to All Windows Servers.

After you create monitors, click Deploy Monitors to deploy the monitors to the selected endpoints.

See Managing scan settings with monitors.

Step 5: Set up watchlists

Step 4: Set up watchlists

Watchlists define a set of files, directories, and Windows registry paths that you want to monitor for changes.

Create a watchlist, naming it based on the application, business unit, or compliance standard you want to monitor.

Select a Windows or Unix path style. You must use separate watchlists for Windows and non-Windows endpoints.

Select the computer groups that contain the endpoints on which you want to monitor the selected paths for the watchlist. Target the watchlist narrowly to watch only the necessary paths on the appropriate endpoints.

(Optional) Start from a built-in template, and add custom file or registry paths to specify the files, folders, or registry paths you want to monitor.

Configure inclusions and exclusions for each path to refine the files, folders, or registry paths that you are monitoring.

Deploy watchlists.

See Managing watched paths with watchlists.

Step 6: Monitor change events and tune watchlists

Step 5: Monitor change events and tune watchlists

Monitor the overview of changes.

Make adjustments to paths, inclusions, and exclusions in watchlists to exclude events that do not need to be monitored.

Monitor detailed events using questions and Tanium Connect.

See Viewing events.

Step 7: Define rules

Step 6: Define rules

After watchlists are tuned to capture only events of interest, create rules to automatically label events and help differentiate among planned, expected, ignored, and suspicious changes. See Create a rule.

Deploy rules. See Deploy rules.

Step 8: Set up IT workflow integration with ServiceNow Change Management

Step 7: Set up IT workflow integration with ServiceNow Change Management

Create a ServiceNow integration in Integrity Monitor.

Configure and establish a connection to ServiceNow.

Map the Integrity Monitor statuses of Open, Closed, and Canceled to the states used in your ServiceNow change requests and change tasks.

Configure the schedules to synchronize data with ServiceNow.

See Integrating with IT workflows in ServiceNow.

Step 9: Export data to reports and incidents

Step 8: Export data to reports and incidents

Send expected and unexpected events to the appropriate external destinations for reporting. See Sending and reporting events.

Use unlabeled events to create incidents in ServiceNow Incident Management. See Create incidents for unlabeled events in ServiceNow Incident Management.

Step 10: Monitor Integrity Monitor health

Step 9: Monitor Integrity Monitor health

From the Trends menu, click Boards and then click Integrity Monitor to view the Integrity Monitor - Health and Integrity Monitor - Summary Boards.

Monitor and troubleshoot Integrity Monitor health.