Release Notes Integrity Monitor (Version 2.0)
Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.
Important Notes
The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.0 versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.
Integrity Monitor 1.9.0.0057 includes a resolved issue for connections made on Legacy Windows monitors. Any connections made prior to this version will need to be deleted and remade if they are using either of the Integrity Monitor Legacy File Event Details/Overview Saved Questions. This includes connections made via the button within the Integrity Monitor interface on the monitor page.
Integrity Monitor 1.8.1.0013 includes updated sqlite routines which are required for a pending revision of sqlite which is bundled in Tanium's core python content. Modules using core python will begin to include the updated content 6/25/2019. Integrity Monitor must be upgraded to 1.8.1+ prior to importing or upgrading any module or content pack leveraging this updated content. Please seek guidance from your TAM with any questions regarding this.
Tanium Integrity Monitor 2.0.0.0037
Release Date: October 29th, 2019
Feature Improvements
- Upgrades Client Recorder Extension to 2.0 (version 2.0.1.4026)
- For more information, see the documentation here
- There will be a banner on the home page of the Integrity Monitor solution if the current configuration for Integrity Monitor contains any settings that apply to Client Recorder Extension 1.0. These settings will not be automatically applied to Client Recorder Extension 2.0. There is a package available from the Intial Content - Recorder Extension solution that will allow the user to set some settings for Client Recorder Extension 2.0. The settings within a Linux monitor's Advanced Settings tab will also not be applied to Client Recorder Extension 2.0. Please be aware that some of these settings may not be adjustable within Client Recorder Extension 2.0 at this time.
- There are some settings with regard to Integrity Monitor's use of Client Recorder Extension 2.0, that can be overridden via configuration overrides. These deal with filtering out events that are traced back to the Tanium Client process, as well as some control over the number of files and quantity of events within those files that Integrity Monitor will allow to be stored on the endpoint before the Correlation Engine can process them.
- Integrity Monitor is able to operate with either Client Recorder Extension 1.0 or 2.0 installed. You can see which is being used on a particular endpoint through the Integrity Monitor Endpoint Tools Status sensor:
- Syncing events from Client Recorder Extension 1.0 or Syncing events from Client Recorder Extension 2.0
- A new package is available: Integrity Monitor Endpoint Debug Zip [Linux] and Integrity Monitor Endpoint Debug Zip [Windows]
- This package will zip up the contents usually requested by the development and SME team for troubleshooting issues on an endpoint. Once the package is run, there will be a tanium_im_debug.zip file available for pickup in the TaniumClient/Tools/IM/debug directory.
- There is now an error prompt when attempting to delete multiple watchlists and at least one of them is actively being used.
- The Integrity Monitor Endpoint Tools Status sensor now reports the size of the im.db on endpoint database in buckets up to > 1 GB
- Upgrades Client Extensions to version 2.0.1.3930
- Includes Client Recorder Extension 2.0 integration support.
Resolved Issues
- Resolved an issue where between upgrading to a new version of the Integrity Monitor solution and deploying monitors, the Deploy Integrity Monitor Endpoint Config and Deploy Integrity Monitor Endpoint Negative Config actions would install the same configuration repeatedly.
- Note: the new tools from this version must be deployed in order to stop this from happening when the next version of Integrity Monitor is installed.
- Upgrades Tanium Index to version 2.5.0.0038
- Includes Client Recorder Extension 2.0 integration support on Linux endpoints.
- Resolves an issue where Tanium Index could use 100% of on core in some situations on Windows endpoints.
Notes
- This release requires Linux endpoints to have Tanium Client version 7.2.314.3211 or greater installed. Installation of Integrity Monitor tools on a Linux endpoint with a Tanium Client version below this will fail.
Additional Information
Known Issues and Workarounds
- The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
- Hybrid/Hashing mode can have issues when changing watchlists, including reporting events incorrectly.
- Permission change events can be missed by Client Recorder Extension 2.0 on Linux systems, resulting in delayed surfacing of the event along with no process or user information for that event.
- Some delete events may not contain the entire path on Linux endpoints.
Requirements
- Tanium Connect 4.0 and above.
- Monitoring permission change events.
- Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
Supported Tanium Platforms
Tanium Server 7.2, 7.3