Table of contents


The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.

Represents a set of installed software. The "key" used to uniquely identify an installed application is platform-specific, but it is often a shorthand version of the application name or a unique numeric value.

On Windows, the key can be something readable like "FogBugz Screenshot_is1" or it can be a GUID like
"{90110409-6000-11D3-8CFE-0150048383C9}". You can examine these by looking at the sub-keys of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

On Linux the key is the RPM package name, as shown by the command:

rpm -qa --qf "%{NAME}\n"

On Solaris the key is the package name as shown by the pkginfo command.

Tag Attributes

These are XML attributes of the tag itself, as opposed to the attributes of the computer where Integrity Monitoring is enabled.

Attribute Description Required Default Value Allowed Values
onChange Will be monitored in real time No false true, false

Entity Set Attributes

These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules. Presence of the attributes is dependent on both the platform and the application itself - installation programs do not necessarily populate all of the attributes.

  • Manufacturer: The publisher or manufacturer of the application
  • Name: The friendly name or display name of the application. (Not available on Linux.)
  • InstalledDate: Date of installation. This is normally returned as YYYY-MM-DD [HH:MM:SS], but many installers on Windows format the date string in a different manner so this format is not guaranteed. (Not available on AIX.)
  • InstallLocation: The directory where the application is installed. (Only available on Windows and Solaris.)
  • Parent: For patches and updates, this gives the key name of this item's parent. (Only available on Windows.)
  • Size: The estimated size of the application, if available. On Windows this attribute is read from the "EstimatedSize" registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*. The value in that location is expressed in KB, so the Agent multiplies it by 1024 before returning the value. Note that not all Windows applications populate the EstimatedSize field in the registry. (Not available on AIX.)
  • Version: The version of the installed application. On Windows, this comes from the "DisplayVersion" registry value.

Short Hand Attributes

These are the short hand attributes of the Entity and the attributes to which they resolve

  • STANDARD: InstalledDate, Name, Version

Meaning of "Key"

The key is the name of the installed software. This is not a hierarchical key, so the ** pattern does not apply. On Windows the key is often a GUID, especially for anything installed via the Windows Installer (aka MSI). Use the name="XXX" feature if you need to include or exclude based on the display name rather than the GUID.

The following example would monitor for the addition and deletion of new software.

<include key="\*"/>

Sub Elements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of Include and Exclude for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this EntitySet class are included here.

Special attributes of Include and Exclude for InstalledSoftwareSets

name (Windows only): Allows wildcard matching using ? and * on the display name of the application (the "name" attribute of the Entity). For example:

<include name="Microsoft*"/>

will match all installed applications whose display name (as shown by the Control Panel) starts with "Microsoft".

manufacturer: Allows wildcard matching using ? and * on the publisher or manufacturer of the application. For example:

<include manufacturer="* Company "/>

will match all installed applications whose manufacturer ends with "Company".