IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Integrity Monitor (Version 2.0)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.

Important Notes

The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.0 versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.

Integrity Monitor 1.9.0.0057 includes a resolved issue for connections made on Legacy Windows monitors. Any connections made prior to this version will need to be deleted and remade if they are using either of the Integrity Monitor Legacy File Event Details/Overview Saved Questions. This includes connections made via the button within the Integrity Monitor interface on the monitor page.

Integrity Monitor 1.8.1.0013 includes updated sqlite routines which are required for a pending revision of sqlite which is bundled in Tanium's core python content. Modules using core python will begin to include the updated content 6/25/2019. Integrity Monitor must be upgraded to 1.8.1+ prior to importing or upgrading any module or content pack leveraging this updated content. Please seek guidance from your TAM with any questions regarding this.

Tanium Integrity Monitor 2.0.0.0037

Release Date: October 29th, 2019

Feature Improvements

  • Upgrades Client Recorder Extension to 2.0 (version 2.0.1.4026)
    • For more information, see the documentation here
    • There will be a banner on the home page of the Integrity Monitor solution if the current configuration for Integrity Monitor contains any settings that apply to Client Recorder Extension 1.0. These settings will not be automatically applied to Client Recorder Extension 2.0. There is a package available from the Intial Content - Recorder Extension solution that will allow the user to set some settings for Client Recorder Extension 2.0. The settings within a Linux monitor's Advanced Settings tab will also not be applied to Client Recorder Extension 2.0. Please be aware that some of these settings may not be adjustable within Client Recorder Extension 2.0 at this time.
    • There are some settings with regard to Integrity Monitor's use of Client Recorder Extension 2.0, that can be overridden via configuration overrides. These deal with filtering out events that are traced back to the Tanium Client process, as well as some control over the number of files and quantity of events within those files that Integrity Monitor will allow to be stored on the endpoint before the Correlation Engine can process them.
    • Integrity Monitor is able to operate with either Client Recorder Extension 1.0 or 2.0 installed. You can see which is being used on a particular endpoint through the Integrity Monitor Endpoint Tools Status sensor:
      • Syncing events from Client Recorder Extension 1.0 or Syncing events from Client Recorder Extension 2.0
  • A new package is available: Integrity Monitor Endpoint Debug Zip [Linux] and Integrity Monitor Endpoint Debug Zip [Windows]
    • This package will zip up the contents usually requested by the development and SME team for troubleshooting issues on an endpoint. Once the package is run, there will be a tanium_im_debug.zip file available for pickup in the TaniumClient/Tools/IM/debug directory.
  • There is now an error prompt when attempting to delete multiple watchlists and at least one of them is actively being used.
  • The Integrity Monitor Endpoint Tools Status sensor now reports the size of the im.db on endpoint database in buckets up to > 1 GB
  • Upgrades Client Extensions to version 2.0.1.3930
    • Includes Client Recorder Extension 2.0 integration support.

Resolved Issues

  • Resolved an issue where between upgrading to a new version of the Integrity Monitor solution and deploying monitors, the Deploy Integrity Monitor Endpoint Config and Deploy Integrity Monitor Endpoint Negative Config actions would install the same configuration repeatedly.
    • Note: the new tools from this version must be deployed in order to stop this from happening when the next version of Integrity Monitor is installed.
  • Upgrades Tanium Index to version 2.5.0.0038
    • Includes Client Recorder Extension 2.0 integration support on Linux endpoints.
    • Resolves an issue where Tanium Index could use 100% of on core in some situations on Windows endpoints.

Notes

  • This release requires Linux endpoints to have Tanium Client version 7.2.314.3211 or greater installed. Installation of Integrity Monitor tools on a Linux endpoint with a Tanium Client version below this will fail.

Additional Information

Known Issues and Workarounds

  • The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
  • Hybrid/Hashing mode can have issues when changing watchlists, including reporting events incorrectly.
  • Permission change events can be missed by Client Recorder Extension 2.0 on Linux systems, resulting in delayed surfacing of the event along with no process or user information for that event.
  • Some delete events may not contain the entire path on Linux endpoints.

Requirements

  • Tanium Connect 4.0 and above.
  • Monitoring permission change events.
    • Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.

Supported Tanium Platforms

Tanium Server 7.2, 7.3

Product Documentation and Resources

Integrity Monitor Documentation