Integrity Monitoring
Integrity Monitoring reviews and validates changes made on Windows and Linux endpoints to assess the integrity of multiple entities.
Integrity Monitoring operates based on default rules, provided by Bitdefender, and custom rules. These rules are available in the Policies > Integrity Monitoring Rules page of the Control Center .
Based on these rules, Integrity Monitoring takes action when events are generated for files, folders, registry entries, users, services and installed software. These events are displayed on the Reports > Integrity Monitoring Events page of the Control Center.
You can also create a portlet, as well as two types of reports based on Integrity Monitoring events:
Integrity Monitoring activity, which displays events from the events page.
Integrity Monitoring configuration changes, which displays Bitdefender Trusted as well as Unapproved events.
Integrity Monitoring also comes with hardcoded restrictors, which automate best practices to reduce alert fatigue and prevent a negative impact on performance.
Integrity Monitoring is available for all standard products, except for GravityZoneEDR and BitdefenderFRAT . It is delivered as an add-on for products with a license key, and as a licensing option for monthly subscriptions.
By default, it stores the detected events for 7 days. In addition, it comes with a data retention add-on to store the events. You have three options from which can choose: 90 days, 180 days and 1 year of data retention.
After you add the license, log back in to GravityZone. Two new pages are available in the main menu of the Control Center:
Under Policies, the new page named Integrity Monitoring Rules contains the rules, rule sets and related options for configuring Integrity Monitoring .
Under Reports, the new page named Integrity Monitoring Events contains all the detected events. The events listed in this page are based on default and/or custom rules.
In addition, the policy settings include a new section called Integrity Monitoring, where you can enable the module and select the rule set that you want to apply with the policy.
Components
Integrity Monitoring uses the following components:
GravityZone Control Center
Security agent (Windows, Linux)
Integrity Monitoring limitations
Windows
Integrity Monitoring monitors a large set of registry keys and values, with some exceptions. For a full list of monitored registry keys and values, refer to this document.
Changes made by GravityZone excluded processes do not generate events.
Custom EDR exclusions do not apply to incidents that are generated based on Integrity Monitoring rules.
Custom EDR exceptions do not apply to incidents that are generated based on Integrity Monitoring rules.
Linux
Integrity Monitoring does not support protected containers.
Integrity Monitoring does not start if the backend is switched from kprobes to auditd.
The InstalledSoftware event is only generated for Debian-based operating systems.
The service_added events only work once per service.
Multiple sequential events are processed at a slower rate.
Different text editors could generate different events for the same file modification due to their use of different APIs.
Operations performed as another user, using the
runusercommand, trigger events with a void user field.Integrity Monitoring is not compatible with 32-bit operating systems.
Permission and ownership change events cannot generate endpoint incidents.
Custom EDR exclusions do not apply to incidents that are generated based on Integrity Monitoring rules.
Install and configure Integrity Monitoring
To start using this feature, follow the steps below:
Important
If your endpoints already have the BEST agent deployed, but the Integrity Monitoring module is not installed, you can use a Reconfigure agent task to add the module to the endpoint.
If no agent is installed, you will need to use an installation package to deploy BEST on your endpoints along with all required modules.
Below we have included both procedures.
Log in to GravityZone Control Center.
Go to the Installation Packages page from the left side menu.
Click the Create button in the upper-right side of the screen.
Type in the Name and Description for the new installation package.
Select the modules you want to deploy.
Note
Make sure you include the Integrity Monitoring module.
Click Save.
Select the newly created package from the list of packages and click Send download links.
Enter the email addresses of the recipients and click Send.
Policies are used to enable and configure features both on endpoints and in terms of general functionality.
GravityZone comes with a default set of policy settings, that are custom tailored to meet the most common customer needs.
You can use these default policy settings and leave the configuration of the policy for a later date, but you need to follow the steps below to enable the feature from the policy page:
Log in to GravityZone Control Center.
Go to Integrity Monitoring Rules page from the left side menu.
Create a new set of rules to apply to your policy.
Go to the Policies page from the left side menu of GravityZone Control Center.
You can either:
Under Integrity Monitoring, enable and configure the module features.
Save your policy.
If you created a new policy, apply it on the endpoints where the feature is deployed:
Go to the Network page from the left side menu.
Select the endpoints you want to apply the policy to.
Click the
Assign Policy button at the upper side of the table.Select the policy you want to apply.
Click Finish.
Note
For more information, refer to Assigning device policies
If you have edited an existing policy, make sure it is applied to all endpoints where the feature is deployed.
This will ensure that the feature is enabled and configured to best suit your company's needs.
Test out the feature
Use the steps provided under Configure and enable the Integrity Monitoring feature to create a new rule that performs a specific action.
For example, you can create a specific rule, for a specific path on your endpoint, that quarantines all new files with the
.exeextension:Go to Integrity Monitoring Rules > Custom rules > Actions > New rule.
Apply the following settings:
Under OS applicability, select an applicable Operating System.
Under Keys add a file path and the extension of the files you want your rule to apply to.
Click the Add button:
Under Monitoring scope, select File was created and select the Move to quarantine action from the drop down menu on the right.
Click Save.
Simulate the circumstances that you designed the rule to trigger for.
For the above example, create a
.exefile under theC:\Testing Integrity Monitoringfile path. This will cause the file to be moved under quarantine.
In-depth documentation
For more information about Integrity Monitoring, refer to: