IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Integrity Monitor (Version 1.6)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.

Tanium Integrity Monitor 1.6.1

Release Date: Feb 26, 2019

Resolved Issues

  • Fixes an issue where the Integrity Monitor service would crash at startup with a large database.
  • Fixes an issue where the Integrity Monitor workbench becomes unresponsive while pruning large amount of data from the Integrity Monitor service database.
  • Fixes an issue where watching root directories, like C:\, caused errors when retrieving events with the event sensors.


Tanium Integrity Monitor 1.6.0

Release Date: Feb 19, 2019

Feature Improvements

  • Adds the ability to enable hash and event mode together for Linux endpoints.
    • Gets real time events correlated to interval-based hash checking.
    • Adds hash and hashedAt columns to the Integrity Monitor Overview and Detail events sensors.
      • New hash and hashedAt columns flow to Tanium Connect and weekly generated reports.
      • New hash and hashedAt columns not currently available for rules or label history viewing.
    • Finds and ignores real time false writes by checking if the file hash changed.
    • Real time events that do not correlate to a hash based event within 6 hours will be surfaced without a hash. Until that 6 hour timeout, the real time event will not be visible.
  • Renames the toggle recorder packages to "Integrity Monitor Enable or Disable Event Recorder [Windows]" and "Integrity Monitor Enable or Disable Event Recorder [Linux]".
  • Adds Integrity Monitor Endpoint Config Negative sensor and saved action per Linux monitor. Linux endpoints now wait for all endpoint configs before installing a monitor to prevent temporarily installing lower priority monitors.
  • Updates the deployment ID to be the date time of when the deploy monitors action started. The ID format is now milliseconds from epoch.
    • Endpoints will no longer install endpoint config associated with older deployment IDs.
    • Easily determine which deployment ID is latest in the Integrity Monitor Deployment ID sensor.
  • Simplifies Integrity Monitor tools deployment.
    • Tools actions per platform are no longer added during solution import.
    • Tools actions per platform are created during each deploy monitors action.
    • No longer need Integrity Monitor Endpoint Tools Needed. This sensor still exists but has been updated to do nothing. If this is used in any computer group definitions, please update those to remove this sensor's usage.
  • During the deploy monitors action, monitor specific scheduled actions and saved questions are now deleted by name instead of ID.
    • Includes the saved questions, Integrity Monitor File Events Overview, Integrity Monitor Legacy File Events Overview, Integrity Monitor File Events Details, and Integrity Monitor Legacy File Events Details.
    • Includes the saved actions per platform and monitor, Integrity Monitor Endpoint Config, Integrity Monitor Endpoint Config Negative, and Integrity Monitor Tools.
    • Removes the above dynamic content left behind by previous Integrity Monitor installs.
  • Updates Integrity Monitor Tools Status sensor for hybrid mode.
    • Added `Baseline status: Not yet established` to denote when Index is doing its initial baseline. No new events will be returned by events sensors until baseline is complete.
    • Added `Baseline status: Re-establishing` to denote when Index has completed its initial baseline, but is re-baselining. May result in delayed event correlation until re-baseline is complete.
    • Added `Baseline status: Established` to denote when Index has completed an accurate baseline. Events sensors will return events.
    • Added `Event correlation began` time buckets to provide a status on how long event correlation has been running.
    • Added `Earliest hash watchlist available was created` time buckets to denote that Index is re-walking the disk to prepare for the newest deployed watchlist.
      • Events for previously existing paths will continue to surface from the event sensors.
      • Create Events for new paths will not surface until the re-walk of the disk is complete.
    • Added `No previous hash watchlists found` to denote Index is not doing a re-walk of the disk that impacts events from the events sensor.


Resolved Issues

  • Fixes a typo in the /etc/passwd path in the critical linux template.
  • Fixes performance of watchlist name correlation with large number of paths in the Windows Integrity Monitor Events Details sensor.
  • Fixes the Integrity Monitor Overview and Details events sensors in hash mode to properly look back based on the hour offset parameter.
  • Fixed an issue where false file create and deletes are generated in hash only mode when adding or removing paths to a watchlist.
  • Fixes Overview and Detail event sensors from looking back to far based on the hour offset parameter.
  • Upgrades Linux Index to v2.4.0.0063.
    • Fixes an issue where Index could incorrectly emit Integrity Monitor create events when a directory was deleted.
    • Fixes an issue where Index exclusions were ignored if config.ini lines were too long.
    • Fixes an issue where Index would emit incorrect create events for previously existing files.
    • Fixes an issue where Index would incorrectly mark a scan as complete even though the scan failed due to errors.


Additional Information

Known Issues and Workarounds

  • For Window endpoints only, Tanium Integrity Monitor events can be turned off if Tanium Trace file events are turned off.
  • The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.

Requirements

  • Tanium Platform 7.0.314.6422 and above.
    • For older 7.0 builds, please consult your Technical Account Manager for assistance.
  • Tanium Platform 7.1.314.3071 and above for RBAC support.
  • Tanium Connect 4.0 and above.
  • Legacy Windows support requires Tanium Index 1.6.0 and above.
  • Monitoring permission change events.
    • Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
    • Windows NT 6.0 (Windows Server 2008 / Windows Vista) or below requires setting Tanium Index config setting ScanFilePermissions=on.

Supported Tanium Platforms

Tanium Server 7.0, 7.1, 7.2, 7.3

Product Documentation and Resources

Integrity Monitor Documentation