Table of contents

ServiceSet

The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents.

To enable and configure Integrity Monitoring, see Set up integrity monitoring.

The ServiceSet element represents a set of services. Available on Windows only. Services are identified by the service name, which is not the same as the name column shown in the Services administrative tool. The service name can be seen in the service properties and is often shorter than the value shown in the name column, which is actually the Display Name of the service. For example, the agent has a service name of ds_agent and a display name of Trend Micro Deep Security Agent.

Tag attributes

The following table provides a list and descriptions of the XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
onChange Monitored in real time No false true, false

Entity Set attributes

The following Entity attributes can be monitored by Integrity Monitoring Rules:

  • Permissions: The service's security descriptor in SDDL format.
  • Owner: User ID of the service owner.
  • Group: Group ID of the service owner.
  • BinaryPathName: The path plus optional command-line arguments that Windows uses to start the service.
  • DisplayName: The display name of the service as shown in the properties panel of the service.
  • Description: Description as it appears in the Services panel.
  • State: The current state of the service. One of: stopped, starting, stopping, running, continuePending, pausePending, paused.
  • StartType: How is the service started? One of: automatic, disabled, manual.
  • LogOnAs: The name of the account that the service process is logged on as when it runs.
  • FirstFailure: Action to take the first time the service fails. Format is delayInMsec,action, where action is one of None, Restart, Reboot, RunCommand.
  • SecondFailure: Action to take the second time the service fails. Format is "delayInMsec,action", where action is one of None, Restart, Reboot, RunCommand.
  • SubsequentFailures: Action to take if the service fails for a third or subsequent time. Format is delayInMsec,action, where action is one of None, Restart, Reboot, RunCommand.
  • ResetFailCountAfter: Time after which to reset the failure count to zero if there are no failures, in seconds.
  • RebootMessage: Message to broadcast to server users before rebooting in response to the Reboot service controller action.
  • RunProgram: Full command line of the process to execute in response to the RunCommand service controller action.
  • DependsOn: Comma separated list of components that the service depends on
  • LoadOrderGroup: The load ordering group to which this service belongs. The system startup program uses load ordering groups to load groups of services in a specified order with respect to the other groups. The list of load ordering groups is contained in the following registry value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceGroupOrder
  • ProcessId: The numeric ID of the process that hosts the service. Many services may exist in a single Windows process, but for those that run in their own process, the monitoring of this attribute allows the system to log service restarts.

Shorthand attributes

The following are the shorthand attributes of the Entity and the attributes to which they resolve:

  • STANDARD: Permissions, Owner, Group, BinaryPathName, Description, State, StartType, LogOnAs, FirstFailure, SecondFailure, SubsequentFailures, ResetFailCountAfter, RunProgram, DependsOn, LoadOrderGroup, ProcessId

Meaning of key

The key is the Service's name, which is not necessarily the same as the name column shown in the Services administrative tool (that tool shows the display name of the service). The service name can be seen in the service properties and is often shorter than the value shown in the name column.

This is not a hierarchical Entity set. Patterns are applied only to the service name. As a result the ** pattern is not applicable.

Subelements

  • Include
  • Exclude

See Integrity monitoring rules language for a general description of include for their allowed attributes and sub elements. Only information specific to includes and excludes relating to this Entity Set class are included here.

Special attributes of Include and Exclude for ServiceSets

state: Include or exclude based on whether the state of the service (stopped, starting, stopping, running, continuePending, pausePending, paused). The following example would monitor the set of running services for change:

<ServiceSet>
<include state="running"/>
</ServiceSet>