IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Integrity Monitor (Version 2.4)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.

Important Notes

Integrity Monitor 2.3.0.0018 has removed support for Windows Legacy operating systems (Windows older than Windows 7 / Server 2008R2). The Integrity Monitor team will continue to support any existing customers who are still using Integrity Monitor versions released prior to version 2.3.0.0014 and will provide guidance to customers who need assistance with migration to the latest releases. Prior versions containing these features will continue to be supported per your support agreement with Tanium.

Integrity Monitor 2.3.0.0018 Windows client minimum version has been raised to 7.2.314.3211, which is in line with the minimum Linux client version. Integrity Monitor tools will not install on client versions lower than 7.2.314.3211 now. The recommended version for all supported OSes can be found in the documentation.

Tanium Integrity Monitor 2.4.1.0004

Release Date: April 16, 2020

Resolved Issues

  • Resolves an issue where enhanced rules are only deployable by a user with the Tanium Administrator role. Rules are now deployable by a user with the Integrity Monitor Administrator role.
  • Resolves an issue where migrating from legacy to enhanced labeling on a monitor may cause the endpoint to enter a failed state in certain situations, particularly if the rules have not been deployed before the monitors are deployed.

Tanium Integrity Monitor 2.4.0.0140

Release Date: April 14, 2020

Feature Improvements

  • Custom labels have been moved to global labels.
    • All custom and default labels are moved to global labels on upgrade
    • Any overlap in custom and/or default labels will be resolved to a single label of the same name.
  • Endpoint labeling feature has been implemented, which we are calling Enhanced labeling. This provides a way for the user to define rules that are executed on the endpoint against events, and labeled on the endpoint instead of the module server. This allows for attribution of labels to events through normal sensors and combining event, label, and endpoint data together before shipping out through Connect.
    • Previous rule functionality still exists as Legacy labeling. All current monitors will be in Legacy labeling mode after upgrade. Migration of these monitors to Enhanced labeling is available.
    • Migration to Enhanced labeling, once performed, cannot be undone.
    • Labels are broken down into Enhanced labels and Legacy labels, and work with Enhanced rules and Legacy rules, respectively.
    • Enhanced labeling is only available for Linux/Windows endpoints/monitors.
  • ServiceNow integration has been implemented.
    • The basic flow of data for this integration is:
      • ServiceNow has endpoint data, or configuration items as they are called in ServiceNow.
      • These configuration items have maintenance windows, defined through change requests and/or tasks.
      • In Integrity Monitor, the integration setup form, available through the Integrations tab in the Settings top rail icon, walks you through the setup process, from authentication to mapping of information from ServiceNow into Integrity Monitor.
      • Once the integration is properly set up and data is flowing, change request and/or task information is relayed to the endpoints they are associated with, and events happening within the prescribed window are labeled with a ServiceNow label, denoting an authorized change.
    • The ServiceNow integration works in tandem with the endpoint labeling feature. As such, only endpoints using enhanced labeling will be able to understand and apply the ServiceNow window information to incoming events.
  • Sensor changes:
    • New sensor: Integrity Monitor Rules Needed
      • Used to determine if the latest rules deployment is necessary for the endpoint.
    • New sensor: Integrity Monitor ServiceNow Rules Needed
      • Used to determine if the latest ServiceNow rules deployment is necessary for the endpoint.
    • New sensor: Integrity Monitor Labeled File Events Details
      • Used to gather detailed events that have at least one label. A comma separated list of labels can be supplied as a parameter to focus to only the labels the user is interested in.
    • New sensor: Integrity Monitor Unlabeled File Events Details
      • Used to gather detailed events that have no labels.
    • New sensor: Integrity Monitor Unlabeled File Events Overview
      • Used to gather bucketed events that have no labels. The bucket size is a parameter and defaults to 15 minutes.
    • Updated sensor: Integrity Monitor File Events Details
      • Now includes the labels from the endpoint when using enhanced labeling
    • Updated sensor: Integrity Monitor Endpoint Tools Status
      • Now includes information about the rules engine.
  • Package changes:
    • Updated package: Integrity Monitor Enable or Disable Endpoint Process [Linux/Windows]
      • Added a parameter to enable or disable the rules engine, separately from the correlation engine.
      • Disabling the correlation engine will also disable the rules engine. Disabling the rules engine will not also disable the correlation engine.
      • Disabling the rules engine on an enhanced labeling endpoint will cause events to be backlogged. Once re-enabled, the events will show properly again.
  • Added the monitor id to the Monitors page to help with troubleshooting.
  • Using automatic import and configuration will hide the configuration section on the homepage after import.
  • Adjusted the default Trends boards to get information from endpoints with IM deployed on them, and to ignore any Legacy Windows endpoint information.
    • To get the updated boards, you would need to remove the previously imported ones and re-import the Integrity Monitor gallery board.
  • The default Tanium Index configuration when using hash only or hybrid modes has been updated to be more in line with recommended settings from the Index team:
    • CPUUsageLimit has been changed from unset (default of 1%) to 3%
    • MaxFileSizeToHashMB has been changed from unset (default of 256) to 32
    • FileIndexesPerThrottle has been changed from unset (default of 500) to 100
    • FileHashUpdatesPerThrottle has been changed from unset (default of 500) to 100
    • These settings can be overridden with configuration overrides and any previously set configuration overrides will still take precedence over these new defaults.
  • For more information on these new features, please refer to the Integrity Monitor documentation

Resolved Issues

  • Resolves an issue where a large number of paths, includes, and excludes used across a number of monitors could cause the monitors page to become unresponsive or fail to load.
  • Resolves an issue where the Deploy Integrity Monitor Negative Config action would continuously land on endpoints after a deployment was successfully installed.
  • Resolves an issue where some buttons were different colors than others and some text, particularly around rules, was inconsistent.
  • Resolves an issue where the endpoint database used to store events was holding on to information from previous watchlists indefinitely.

Known Issues

  • Deleting an enhanced rule requires a second rule deployment to be distributed correctly to endpoints. We are working on diagnosing and fixing this issue.
  • (Resolved: 2.4.1.0004) Enhanced rules are only deployable by a user with the Tanium Administrator role. This will be fixed to be deployable by users with Integrity Monitor Administrator role in the next release.
  • (Resolved: 2.4.1.0004) Migrating from legacy to enhanced labeling on a monitor may cause the endpoint to enter a failed state in certain situations, particularly if the rules have not been deployed before the monitors are deployed. We are working on a fix for this issue. The workaround is:
    • Disable the Deploy Integrity Monitor Process Start actions
    • Deploy monitors
    • Verify tools and config are updated
    • Deploy rules
    • Verify rules are updated
    • Enable the Deploy Integrity Monitor Process Start actions

Dependencies

  • Index 2.5.3.0005
  • Tanium Client Recorder Extension: Upgraded from 2.1.0.1696 to 2.1.0.1697
    • Resolves an issue where the Tanium Driver would not uninstall correctly.
    • Resolves an issue where Tanium Client Recorder Extension would not function properly within an SELinux system set to enforcing mode in some situations.
  • Tanium Python
    • Version (2.7): 1.3.0.44
    • Version (3.8): 1.3.0.44
  • Tanium Client Extensions: 2.2.0.1113

Additional Information

Known Issues and Workarounds

  • The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
  • Hybrid/Hashing mode can have issues when changing watchlists, including reporting events incorrectly.
  • Some delete events may not contain the entire path on Linux endpoints.

Requirements

  • Tanium Connect 4.0 and above.
  • Monitoring permission change events.
    • Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.

Supported Tanium Platforms

Tanium Server 7.2, 7.3, 7.4

Product Documentation and Resources

Integrity Monitor Documentation