Table of contents


The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.

GroupSet represents a set of groups. Note these are local groups only.

Tag attributes

Attribute Description Required Default Value Allowed Values
onChange Monitored in real time No false true, false

Entity set attributes

These are the attributes of the Entity that can be monitored:

  • Description: The textual description of the group. Only available on Windows.
  • Group: The group ID and name. The group name is part of the entity key, but it is still important to be able to monitor the group ID-name pairing in case groups are renamed and given new IDs. Operating systems generally enforce security based on its ID.
  • Members: A comma-separated list of the members of the group.
  • SubGroups: A comma-separated list of subgroups of the group. Only available on Windows.

Shorthand attributes

  • Standard: Group Members SubGroups

Meaning of key

The key is the group's name. This is not a hierarchical Entity Set. Patterns are applied only to the group name. As a result the ** pattern is not applicable. The following example monitors the Administrators group for additions and deletions. The Member attribute is included implicitly because it is a part of the STANDARD set, and no attributes are explicitly listed.

<include key="Administrators" />

Include and exclude

See Integrity monitoring rules language for a general description of include and exclude and their allowed attributes and sub elements.