Topics on this page
The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on Deep Security Agents. To enable and configure Integrity Monitoring, see Set up integrity monitoring.
The ServiceSet element represents a set of services (Windows only). Services are identified by the "service name", which is not the same as the "name" column shown in the Services administrative tool. The service name can be seen in the service properties and is often shorter than the value shown in the "name" column, which is actually the "Display Name" of the service. For example, the Agent has a service name of "ds_agent" and a display name of "Trend Micro Deep Security Agent".
These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.
|Attribute||Description||Required||Default Value||Allowed Values|
|onChange||Will be monitored in real time||No||false||true, false|
Entity Set Attributes
These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules.
- Permissions: The service's security descriptor in SDDL format.
- Owner: User ID of the service owner
- Group: Group ID of the service owner
- BinaryPathName: The path plus optional command-line arguments that Windows uses to start the service.
- DisplayName: The "display name" of the service as shown in the properties panel of the service.
- Description: Description as it appears in the Services panel
- State: The current state of the service. One of: stopped, starting, stopping, running, continuePending, pausePending, paused
- StartType: How is the service started? One of: automatic, disabled, manual.
- LogOnAs: The name of the account that the service process will be logged on as when it runs.
- FirstFailure: Action to take the first time the service fails. Format is "delayInMsec,action", where action is one of None, Restart, Reboot, RunCommand.
- SecondFailure: Action to take the second time the service fails. Format is "delayInMsec,action", where action is one of None, Restart, Reboot, RunCommand.
- SubsequentFailures: Action to take if the service fails for a third or subsequent time. Format is "delayInMsec,action", where action is one of None, Restart, Reboot, RunCommand.
- ResetFailCountAfter: Time after which to reset the failure count to zero if there are no failures, in seconds.
- RebootMessage: Message to broadcast to server users before rebooting in response to the "Reboot" service controller action.
- RunProgram: Full command line of the process to execute in response to the RunCommand service controller action.
- DependsOn: Comma separated list of components that the service depends on
- LoadOrderGroup: The load ordering group to which this service belongs. The system startup program uses load ordering groups to load groups of services in a specified order with respect to the other groups. The list of load ordering groups is contained in the following registry value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder
- ProcessId: This is the numeric ID of the process that hosts the service. Many services may exist in a single Windows process, but for those that run in their own process, the monitoring of this attribute will allow the system to log service restarts.
Short Hand Attributes
These are the short hand attributes of the Entity and the attributes to which they resolve
- STANDARD: Permissions, Owner, Group, BinaryPathName, Description, State, StartType, LogOnAs, FirstFailure, SecondFailure, SubsequentFailures, ResetFailCountAfter, RunProgram, DependsOn, LoadOrderGroup, ProcessId
Meaning of "Key"
The key is the Service's name, which is not necessarily the same as the "name" column shown in the Services administrative tool (that tool shows the "display name" of the service). The service name can be seen in the service properties and is often shorter than the value shown in the "name" column.
This is not a hierarchical Entity Set. Patterns are applied only to the service name. As a result the ** pattern is not applicable.
See Integrity monitoring rules language for a general description of include for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this Entity Set class are included here.
Special attributes of Include and Exclude for ServiceSets:
state: Include or exclude based on whether the state of the service (stopped, starting, stopping, running, continuePending, pausePending, paused). The following example would monitor the set of running services for change:
<ServiceSet> <include state="running"/> </ServiceSet>