Table of contents


The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents.

To enable and configure Integrity Monitoring, see Set up integrity monitoring.

Represents a set of installed software. The key used to uniquely identify an installed application is platform-specific, but it is often a shorthand version of the application name or a unique numeric value.

On Windows, the key can be readable, for example FogBugz Screenshot_is1, or it can be a GUID similar to {90110409-6000-11D3-8CFE-0150048383C9}. You can examine these by looking at the sub-keys of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

On Linux the key is the RPM package name, as per the following command:

rpm -qa --qf "%{NAME}\n"

On Solaris the key is the package name as shown by the pkginfo command.

Tag attributes

The following table provides a list and descriptions of the XML attributes of the tag itself, as opposed to the attributes of the computer where Integrity Monitoring is enabled.

Attribute Description Required Default Value Allowed Values
onChange Monitored in real time No false true, false

Entity set attributes

These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules. Presence of the attributes is dependent on both the platform and the application itself; installation programs do not necessarily populate all of the attributes.

  • Manufacturer: The publisher or manufacturer of the application.
  • Name: The friendly name or display name of the application. Not available on Linux.
  • InstalledDate: Date of installation. This is typically returned as YYYY-MM-DD [HH:MM:SS], but many installers on Windows format the date string in a different manner so this format is not guaranteed. Not available on AIX.
  • InstallLocation: The directory where the application is installed. Only available on Windows and Solaris.
  • Parent: For patches and updates, this gives the key name of this item's parent. Only available on Windows.
  • Size: The estimated size of the application, if available. On Windows this attribute is read from the EstimatedSize registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\*. The value in that location is expressed in kilobytes, so the agent multiplies it by 1024 before returning the value. Note that not all Windows applications populate the EstimatedSize field in the registry. Not available on AIX.
  • Version: The version of the installed application. On Windows, this comes from the DisplayVersion registry value.

Shorthand attributes

The following are the shorthand attributes of the Entity and the attributes to which they resolve:

  • STANDARD: InstalledDate, Name, Version

Meaning of key

The key is the name of the installed software. This is not a hierarchical key, so the ** pattern does not apply. On Windows, the key is often a GUID, especially for anything installed via the Windows Installer (also known as MSI). Use name="XXX" if you need to include or exclude based on the display name rather than the GUID.

The following example monitors for the addition and deletion of new software:

<include key="\*"/>


  • Include
  • Exclude

See Integrity monitoring rules language for a general description of Include and Exclude for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.

Special attributes of Include and Exclude for InstalledSoftwareSets

name (Windows only): Allows wildcard matching using ? and * on the display name of the application (the name attribute of the Entity). Consider the following example:

<include name="Microsoft*"/>

This matches all installed applications whose display name (as shown by the Control Panel) starts with Microsoft.

manufacturer: Allows wildcard matching using ? and * on the publisher or manufacturer of the application. Consider the following example:

<include manufacturer="* Company "/>

This matched all installed applications whose manufacturer ends with Company.