Configure Integrity Monitoring | Trend Micro Service Central

Configure the Integrity Monitoring module to define its behavior for a policy. When designing the module’s behavior and implementing it using the API, use the same background information and guidance that is provided in About Integrity Monitoring.

Policy objects contain two objects that you use to configure the Integrity Monitoring module:

IntegrityMonitoringPolicyExtension: Controls the module state (real-time, on, or off) and identifies the Integrity Monitoring rules that are assigned to the module.
PolicySettings: Policy settings include many Integrity Monitoring-related settings that control the runtime behavior of the module, such as the application of recommendation scans, whether real-time scan is enabled, performance-related settings, and the Syslog configuration to use. (See Configure policy and default policy settings.)

After you create these objects and add them to a Policy object, you use the PoliciesApi class to modify an existing policy based on the Policy object.

The following JSON represents the data structure of an IntegrityMonitoringPolicyExtension object:

{
	"state": "on",
	"moduleStatus": {...},
	"ruleIDs": [...]
}

The moduleStatus property is read-only. It provides the runtime status of the Integrity Monitoring module. (See Report on Computer Status.)

General steps

Use the following steps to configure the Integrity Monitoring module:

Procedure

Create an IntegrityMonitoringPolicyExtension object and set the property values.
Create a PolicySettings object to configure runtime settings of the module. (See Configure policy and default policy settings.)
Create a Policy object and add the IntegrityMonitoringPolicyExtension and PolicySettings objects.
Use a PoliciesApi object to add or update the policy on Server & Workload Protection.

What to do next

Create an IntegrityMonitoringPolicyExtension object and set the module state:

python policy_config_integrity_monitoring = api.IntegrityMonitoringPolicyExtension()
policy_config_integrity_monitoring.state = "on"

Set the rule IDs. Note that the Integrity Monitoring rules that are currently assigned to the policy will be overwritten:

python policy_config_integrity_monitoring.rule_ids = im_rule_ids

At this point, the integrity Monitoring policy extension is configured. Next, it is added to a Policy object. Then use a PoliciesApi object to modify a policy on Server & Workload Protection.

python policy = api.Policy()
policy.integrity_monitoring = policy_config_integrity_monitoring

policies_api = api.PoliciesApi(api.ApiClient(configuration))
modified_policy = policies_api.modify_policy(policy_id, policy, api_version)

The policy_id (or policyID) parameter of modifyPolicy identifies the actual policy on Server & Workload Protection that is to be modified. This policy is modified according to the policy object that is used as the policy parameter. Any properties of the policy parameter that are not set remain unchanged on the actual policy.

Example

The following example turns on Integrity Monitoring and sets the rule IDs for an IntegrityMonitoringPolicyExtension object. The object is added to a Policy object which is used to update a policy on Server & Workload Protection.

View source

# Turn on Integrity Monitoring
policy_config_integrity_monitoring = api.IntegrityMonitoringPolicyExtension()
policy_config_integrity_monitoring.state = "on"

# Add the rule IDs
policy_config_integrity_monitoring.rule_ids = im_rule_ids

# Add to a policy
policy = api.Policy()
policy.integrity_monitoring = policy_config_integrity_monitoring

# Modify the policy on Server & Workload Protection

policies_api = api.PoliciesApi(api.ApiClient(configuration))

modified_policy = policies_api.modify_policy(policy_id, policy, api_version)

return modified_policy.id

Tip

Also see the Modify a Policy operation in the API Reference.

Tip

If you only need to add, remove, or list Integrity Monitoring rules for a policy, use the PolicyIntegrityMonitoringRuleAssignmentsApi class. The previous example uses the IntegrityMonitoringPolicyExtension, Policy, and PoliciesApi classes to set rules, but this can also be done using only the PolicyIntegrityMonitoringRuleAssignmentsApi class. For more information, see Policy Integrity Monitoring Rule Assignments and Recommendations in the Policies section of the API Reference.

For information about authenticating API calls, see Authenticate with Server & Workload Protection.

Create an Integrity Monitoring rule

Generally, to create a rule for the Integrity Monitoring module you perform the following steps:

Procedure

Create an IntegrityMonitoringRule object.
Set the rule properties. Rules are described in Create an Integrity Monitoring rule.
Use an IntegrityMonitoringRulesApi object to add the rule to Server & Workload Protection.

What to do next

Set the Template property of the rule object to indicate how you are defining the rule:

File: Set properties on the rule object to define how to monitor changes to files.
Registry: Set properties on the rule object to define how to monitor changes to Windows registry values.
Custom: Provide XML (base64-encoded) that defines how to monitor changes to directories, registry values, registry keys, services, processes, installed software, ports and files. The custom XML is used as the value of the CustomXML property of the rule object. The XML that you provide must be base64-encoded.

Tip

Although Log Inspection rules have different properties than Integrity Monitoring rules, the way you create the rules are similar. You might find the Create a basic Log Inspection rule and Create a Log Inspection rule using XML examples helpful.

Note

Configuration options of Integrity Monitoring rules are not accessible using the API. To change these options, in the Server & Workload Protection console open the rule properties and click the Configuration tab.

To use the API to create an Integrity Monitoring rule, send a POST request to the integritymonitoringrules endpoint. (See the Create an Integrity Monitoring Rule operation in the API Reference.)