How to Monitor Compliance Data Changes in Real-Time?

Disclaimer: The Real-time Monitoring is currently in Beta. Expect potential changes or improvements in future versions.

Background

We recognize that traditional periodic compliance checks may pose challenges in ensuring timely adherence across all endpoints. To address this, the Real-time Monitoring feature has been introduced as an alternative to scheduled checks. This feature enables proactive tracking and instant detection of changes at endpoints without relying on periodic scans.

Goal

  • Implement a proactive mechanism for detecting and capturing compliance data changes in real-time.
  • Ensure continuous compliance and security of all endpoints.
  • Instantly access reliable security information from devices without the need for repeated scans.
  • Minimize the time gaps between periodic checks, reducing potential vulnerabilities that attackers could exploit.

Scope

Real-time Monitoring currently supports the Windows environment with specific methods and applications that are listed in the Support Chart version 3. For more details, you can access this documentation.

Usage

1. Verify Real-Time Monitoring Support for a Method

Before proceeding, confirm whether a specific method supports Real-Time Monitoring by referring to Support Chart version 3. For details on how to use Support Chart version 3, please see How Can I Leverage The Support Chart Version 3.

For example, when reviewing Support Chart version 3 for ANTIMALWARE products, you may find that Windows Defender (Signature ID: 477) supports Real-Time Monitoring through the GetRealTimeProtectionState method (Method ID: 1000).

2. Enable Real-Time Monitoring

To activate the Real-Time Monitoring feature, register for tracking real-time changes in a specific method's state using wa_api_register_handler, with event_type set to 10. The following code snippet demonstrates how to monitor the GetRealTimeProtectionState method of Windows Defender in real-time.

C++
Copy

3. Unregister When No Longer Needed

To stop monitoring the method, call:

C++
Copy

Known Issues

Potential Delay in Real-Time Monitoring

Real-time Monitoring is designed to support a wide range of applications, each with its own mechanism for returning status updates. As a result, you may experience a delay of up to 3 seconds when implementing real-time monitoring for supported application methods.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard