Viewing events

After a monitor is deployed to endpoints, events get returned that match the watchlists that are assigned to the monitor.

How you work with events is affected by whether you are using basic labeling or enhanced labeling. For more information about labeling methods, see Basic labeling and enhanced labeling.

View events for a monitor, label, or rule

You can view an overview of events on the page that are returned by a monitor, that have a specific label, or that are labeled by a specific rule.

In this view, Integrity Monitor aggregates events that share the same path, user, process, and operation every 15 minutes to help you identify common events on monitored endpoints. To retrieve more specific information about events and the endpoints where they occurred, you can select events and then click Drill Down. For more information, see Tanium Interact User Guide: Managing question results.

To filter the events, use the Filter by text box, or expand the Advanced Filters section.

View events

  • To view events returned by a monitor: From the Integrity Monitor menu, go to Monitors > All Monitors, Monitors > Enhanced Monitors, or Monitors > Basic Monitors, and click the name of the monitor for which you want to see events.
  • To view events that have a specific label: From the Integrity Monitor menu, go to Labels > Enhanced Labels or Labels > Basic Labels, click the name of the label for which you want to see events, and click the Events tab.
  • To view events that are labeled by a specific rule: From the Integrity Monitor menu, go to Rules > Enhanced Rules or Rules > Basic Rules, and click the name of the rule for which you want to see events.

Pause and resume the event view

To temporarily stop incoming events from being added to the results grid, click Pause in the results grid. To resume viewing incoming events in real time, click Resume .

The event view automatically pauses when you select events.

Download the full list of events or selected events

To download the full list of events in CSV format, click in the results grid.

To download the information from specific events in CSV format, select events from the results grid, and click Export.

Use sensors to view events

You can ask questions in Interact with the Integrity Monitor sensors to view events with specific criteria. For more information about asking questions, see Tanium Interact User Guide: Asking questions.

Table 1:   Sensors provided by Integrity Monitor to view events
Sensor Labeling type Description
Integrity Monitor File Events Overview Basic or enhanced

Returns the list of events, with events that share the same path, user, process, and operation combined for each 15-minute group. The columns returned are process path, file or registry path, user, change type, date, hour, minute group, and detail. The results grid for a basic monitor uses this sensor.

Integrity Monitor File Events Details Basic or enhanced Returns all individual events. The columns returned are time stamp, process path, file or registry path, user, change type, detail, and watchlists. This sensor is available to use in Saved Questions in Connect.
Integrity Monitor Labeled File Events Details Enhanced only

Returns all individual events that have labels applied. The columns returned are the same as for the Integrity Monitor File Events Details sensor. For more information about labels, see Labeling events.

The results grid for a monitor with enhanced labeling uses the Integrity Monitor Filtered File Events Overview and Integrity Monitor Filtered File Events Details sensors, which include a parameter for a filter expression in JSON format. Though you can ask questions in Interact using these sensors, it is a best practice to use the Integrity Monitor Labeled File Events Details sensor in questions.

Integrity Monitor Unlabeled File Events Overview Enhanced only Returns events that do not have labels applied, with events that share the same path, user, process, and operation combined for each 15-minute group. The columns returned are the same as for the Integrity Monitor File Events Overview sensor. For more information about labels, see Labeling events.
Integrity Monitor Unlabeled File Events Details Enhanced only Returns all individual events that do not have labels applied. The columns returned are the same as for the Integrity Monitor File Events Details sensor. For more information about labels, see Labeling events.

By default, the listed sensors return events for all monitors from the 24 hours prior to the time the question is asked. You can use the Monitor ID parameter to specify a monitor for which events should be returned and the Rolling Hour Offset parameter to specify the number of prior hours from which to include events. Up to seven days (168 hours) of events are available. For the Integrity Monitor Labeled File Events Details sensor, you can also use the Labels parameter to specify the list of labels for which to include events.

When an endpoint has no resulting events, the event sensors return: No integrity violations found.

If [no results] is returned, the endpoint has an error. To identify the error, ask a question with the Integrity Monitor Endpoint Tools Status sensor. To resolve the error, see Reference: Endpoint monitoring status errors.