Integrity Monitoring
Overview
Integrity Monitoring applies certain rules and rule sets to your endpoint. You can create rule sets based on any rules to work together as a single rule.
Afterwards, the results are displayed on the Integrity Monitoring Events page.
Four filtering options are available for Integrity Monitoring rules:
All Rules: display all rules.
Default OS Rules: these are synchronized automatically through GravityZone.
Default Application Rules: these are synchronized automatically through GravityZone.
Custom Rules: these rules are created by users.
Behavior in relation to GravityZone Patch Management
During updating processes managed by Patch Management, Integrity Monitoring is suspended by default.
This means that if no policy application or reapplication occurs while Integrity Monitoring is suspended, the old attributes of entities present in alerts after resuming Integrity Monitoring are the ones that were present before the patching process started.
Therefore, even though Patch Management might change a file three times in the process, the entities in the first signaled alert are going to have the old attributes that were present before the update started.
If a policy application or reapplication occurs while Integrity Monitoring is suspended, the old attributes are going to be renewed to the ones present for monitored entities at the time of application or reapplication.
Example 1
The X file has the A attributes before Patch Management starts. After Patch Management starts and Integrity Monitoring is suspended, the attributes are changed to B. Also, no policy application/reapplication takes place during this interval.
After Patch Management is complete and Integrity Monitoring is resumed, the file's attributes are changed once more, this time into C. In this case, you are notified that the attributes have changed from A to C directly while, in reality, they changed from A to B to C. Because Integrity Monitoring is suspended during the time when the attributes changed from A to B, this change is not monitored and the basis of comparison for any new alert remains A.
Example 2
The X file has the A attributes before Patch Management starts. After Patch Management starts and Integrity Monitoring is suspended, the attributes are changed to B. Before Patch Management is complete, a system restart is required. Integrity Monitoring is only resumed after this restart.
After Integrity Monitoring is resumed, the file's attributes are changed again, this time into C. In this case, the Integrity Monitoring notifies you that the file's attributes have changed from B to C, because the policy is reapplied after a system reboot. Once the policy is reapplied, the file's current attributes are set as a basis of comparison for any new alert.
Configuration
Default rules
Default rules are created and supported by Bitdefender. These rules cover the most popular operating systems and applications, as well as services and user entities, assuring the integrity of the endpoint.
For more information about default OS rules and default application rules, refer to Integrity Monitoring default rules.
Note
Some rules require additional configuration before they can be applied to the endpoint. In addition, deprecated rules need to be deleted.
For more information about editing rules, refer to Edit rules and Delete rules.
Custom rules
Custom rules are created and managed by any user with Partner, Company Administrator and Network Administrator role.
Note
Make sure that any custom rule you want to create is not already covered by a default rule. Running duplicate rules affects the overall performance of the product.
Create rules
You can create custom rules by following these steps:
Go to Policies > Integrity Monitoring Rules.
Click the Action drop-down.
Select New rule.
The following fields are available when you create a custom rule:
Rule name: must be unique. You cannot have two rules with the same name.
Description: general description of the rule.
Severity: this option can be set to: Low, Medium, High or Critical.
Entity type: the following types are available:
File
Directory
Registry key
Registry value
Once an entity type is selected, the following fields are available:
File
For this field, you have the following options:
OS Applicability: Windows or Linux.
Keys: this is where you add the prefix and/or the extension type.
Monitoring scope:
For Windows: you can monitor if the file is created, modified, deleted, renamed. File hash, size and attributes can be monitored as well.
Note
Unwanted created files can also be deleted or moved to quarantine. You also have the to correct file attribute changes.
For Linux: you can monitor if the file is created, modified, deleted or renamed, or if there are changes in the hash, size, file permission, file owner and file group.
Note
Unwanted created files can also be deleted or moved to quarantine. You also have the option to correct permission, owner, and group changes.
Directory
For this field, you have the following options:
OS Applicability: Windows or Linux.
Directory path: path to the monitored directory. You can also include the subdirectories by selecting the checkbox under this field.
Monitoring scope:
For Windows: you can monitor if a directory is created, deleted, renamed, and if its attributes have changed.
Note
You also have the option to correct directory attribute changes.
For Linux: you can monitor if a directory is created, deleted, renamed and if its permissions, owners and groups have changed.
Note
You also have the option to correct permission, owner, and group changes.
Registry key
For this field, you have the following options:
Registry key: add the registry key you want monitored.
Monitoring scope: you can monitor if a registry key is created and deleted, and if its subkeys and key values have changed.
Registry value
For this field you have the following options:
Registry value: add the registry value you want monitored.
Monitoring scope: you can monitor if a registry value is created and deleted, the time the last value was modified, or if the registry hash and the registry value size have changed.
Note
When registry value hash changes, you have the option to correct it. In addition, for size change, you can choose to automatically delete the value.
When a registry value is corrected, it is restored to the value it had before the alert was generated. The rule processing mode can affect this correction.
Edit rules
You can edit rules by following these steps:
Go to Policies > Integrity Monitoring Rules.
Select the rule you want to modify.
Under Configuration, modify the rule.
Click Save.
Delete rules
You can delete custom rules by following these steps:
Go to Policies > Integrity Monitoring Rules.
Select the checkbox next to the rule you want to delete.
Click the Actions drop-down.
Select Delete.
Confirm your selection by pressing the Delete button.
Restrictors
Integrity Monitoring has implemented restrictors. They are a layer of protection with the sole purpose of reducing alert fatigue. These restrictors aim to cover human errors.
For example, users cannot monitor files with the .log extension. These files are used for constant logging and are frequently changed. Therefore, monitoring these would generate a great deal of events which might flood the endpoint with notifications and/or events.
Rule sets
Rule sets are a collection of rules that you can assign to a GravityZone policy. Any rule that you want assigned to a policy must be part of a rule set.
Create rule sets
You can create a rule set by following these steps:
Open the Integrity Monitoring Rules window.
Select each rule you want added in your rule set by selecting the checkbox next to it.
Click Actions and select New rule set from rules.
In the new page, add the Rule set name and a Description (optional).
Note
These fields can only contain alphanumeric characters
Click Save.
Edit rule sets
You can edit a rule set by following these steps:
Go to Policies > Integrity Monitoring Rules.
Select the desired rule set.
Click
More. Select Edit.
Edit the Rule set name and Description.
Click Save.
Delete rule sets
You can delete rule sets by following these steps:
Go to Policies > Integrity Monitoring Rules.
Select the desired rule set.
Click
More. Select Delete.
Confirm your selection by pressing the Delete button.
Assign or remove existing rules to rule sets
To assign existing rules to a rule set you must:
Go to Policies > Integrity Monitoring Rules.
Select the checkbox next to the rules you want assigned to the rule set.
Click the Actions drop-down.
Select Assign rules to rule sets.
Select the rule set you want the rules to be assigned from the drop-down menu.
Click Assign.
To remove rules from a rule set, you must:
Go to Policies > Integrity Monitoring Rules.
Select the checkbox next to the rules you want assigned to the rule set.
Click the Actions drop-down.
Select Unassign rules.
Assign rule sets to a policy
To assign Integrity Monitoring rule sets to a policy, you must first enable real-time monitoring in the policy settings and then assign the rule sets that you want applied:
Go to the Policies page.
Add a new policy or edit an existing one.
In the policy settings, go to the Integrity Monitoring section.
Select the corresponding checkbox and add an existing rule set from the drop-down list.
Make other configurations in the policy as preferred.
Save the policy and apply it to endpoints.
Once a policy is applied (or reapplied), the entity baseline attributes are renewed. Therefore, the next alert that comes after the policy is applied uses these renewed attributes as a basis of comparison for the next signaled alert. This renewal takes place regardless of whether Integrity Monitoring is suspended or not.
In addition, once the policy is applied, the endpoints start sending events to GravityZone. You can view them on the Integrity Monitoring Events page.
Important
On-Access exclusions added for file, folder, and process exclusions through configuration profiles or in-policy also apply to the Integrity Monitoring module. Integrity Monitoring is based on Extended Berkeley Packet Filter (eBPF) probes. These exclusions are propagated to eBPF probes (Kprobes) so that corresponding events that trigger Integrity Monitoring alerts are no longer generated.
Rules processing mode
The rules processing mode determines the speed at which events are processed and displayed in the Integrity Monitoring Events page:
Fast - events are processed as close to real-time as possible.
Normal - buffers events for 3 seconds and then processes them. This is the default setting.
Slow - buffers events for 6 seconds and then processes them.
To have an optimal resource footprint, all rule processing modes use event queues and compression.
For processed events, a set of deduplication actions are applied to provide the best information without succumbing to alert fatigue:
Events of the same type are compressed.
For example, from multiple File hash was changed events for the same entity, Integrity Monitoring takes into consideration only the latest one.
Some actions are not processed anymore due to baseline change.
For example, a quick succession of File hash was changed events, right before a File was deleted or File was renamed event, are discarded. In this case, the baseline for file hash change cannot be established because the object is not there anymore.
The deduplication actions are applied to File, Directory, Registry key and Registry value events in all processing modes. The Fast processing mode processes events in real-time, without delay. However, when all available resources are busy processing events, new events start queueing up. These queued events are processed as soon as resources are freed, but they are not exempt from deduplication actions.
Integrity Monitoring events
When a file is modified, a new entry is added in Reports > Integrity Monitoring Events.
The Integrity Monitoring Events page has the following filter options:
Event date
Endpoint
Change. This filtering option allows you to select one or multiple types of changes: All, Created, Updated, Deleted, and Renamed.
Severity. This filtering option allows you to select the severity type: All, Low, Medium, High, and Critical.
Category. This filtering option allows you to select the event category:
Bitdefender Trusted - these are events triggered by processes that have an image path considered safe by Bitdefender. On Windows endpoints, the image paths are also checked for a valid digital signature.
Unapproved - these are events that have been triggered based on the rules applied in the policy.
Approved - these are events that were initially marked as Unapproved, but were later changed by the user.
You can change the category of the events by following these steps:
Select the events you want to change the category for.
Select their new status from the Change Category dropdown list.
More. This filtering option allows you to select other options: All, Reason, Entity type, Location, and User.
Note
Integrity Monitoring displays up to 5000 events/hour. If this number is reached, events are no longer sent to GravityZone for the next hour.
Event details window
The Event details window is available on the right side of the page once you have selected an event. Here, you can see what changes have been made that triggered that event.
You can resize the Events details window by dragging the four dots.
The Event details window has the following fields:
General information:
Reason: the rule set applied that triggered the event.
Event date
Severity
Endpoint name
User: the endpoint user that modified the file.
Details:
Event type
Location
Change type
Attribute changes:
Size (old)
Size (new)
Hash (old)
Hash (new)
Last modified (old)
Last modified (new)
Note
On Windows, user-specific events can only be monitored if Audit Account Management is enabled. For more information, refer to Audit Account Management.
Suspending and disabling Integrity Monitoring
Suspending Integrity Monitoring
You can suspend Integrity Monitoring for a limited amount of time by following these steps:
Go to Network.
Select the checkbox next to the endpoint you want the product suspended on.
Select Tasks.
Select Suspend Integrity Monitoring.
Select the time interval, in hours and minutes, in which you want Integrity Monitoring to be suspended for.
Select Run.
Once suspended, the corresponding task is also visible in:
Accounts > User Activity.
Network > the endpoint it was suspended on > Protection > Additional Information.
Note
Integrity Monitoring can be resumed from the Tasks menu.
While suspended, Integrity Monitoring stops processing all events related to default rules.
Disabling Integrity Monitoring
If you do not want to use Integrity Monitoring any longer, you can either disable the product in the policy settings or remove the add-on entirely.