Overview
Integrity Monitoring applies certain rules and rule sets to your endpoint. You can create rule sets based on any rules to work together as a single rule.
Afterwards, the results are displayed on the Integrity Monitoring Events page.
Four filtering options are available for Integrity Monitoring rules:
All Rules: display all rules.
Default OS Rules: these are synchronized automatically through GravityZone.
Default Application Rules: these are synchronized automatically through GravityZone.
Custom Rules: these rules are created by users.
Behavior in relation to GravityZone Patch Management
During updating processes managed by Patch Management, Integrity Monitoring is suspended by default.
This means that if no policy application or reapplication occurs while Integrity Monitoring is suspended, the old attributes of entities present in alerts after resuming Integrity Monitoring are the ones that were present before the patching process started.
Therefore, even though Patch Management might change a file three times in the process, the entities in the first signaled alert are going to have the old attributes that were present before the update started.
If a policy application or reapplication occurs while Integrity Monitoring is suspended, the old attributes are going to be renewed to the ones present for monitored entities at the time of application or reapplication.
Example 1
The X file has the A attributes before Patch Management starts. After Patch Management starts and Integrity Monitoring is suspended, the attributes are changed to B. Also, no policy application/reapplication takes place during this interval.
After Patch Management is complete and Integrity Monitoring is resumed, the file's attributes are changed once more, this time into C. In this case, you are notified that the attributes have changed from A to C directly while, in reality, they changed from A to B to C. Because Integrity Monitoring is suspended during the time when the attributes changed from A to B, this change is not monitored and the basis of comparison for any new alert remains A.
Example 2
The X file has the A attributes before Patch Management starts. After Patch Management starts and Integrity Monitoring is suspended, the attributes are changed to B. Before Patch Management is complete, a system restart is required. Integrity Monitoring is only resumed after this restart.
After Integrity Monitoring is resumed, the file's attributes are changed again, this time into C. In this case, the Integrity Monitoring notifies you that the file's attributes have changed from B to C, because the policy is reapplied after a system reboot. Once the policy is reapplied, the file's current attributes are set as a basis of comparison for any new alert.