Viewing events

After a monitor and watchlists deploy to endpoints, events get returned that match the deployed watchlists.

View events for a monitor, label, or rule

You can view an overview of events that are returned by a monitor or that have a specific label.

  • To view events returned by a monitor in the past day: From the Integrity Monitor menu, go to Monitors and click the name of the monitor for which you want to see events.
  • To view events from the past day that have a specific label: From the Integrity Monitor menu, go to Labels, click the name of the label for which you want to see events, and click the Events tab.

In this view, Integrity Monitor aggregates events that share the same path, user, process, and operation every 15 minutes to help you identify common events on monitored endpoints. To retrieve more specific information about events and the endpoints where they occurred, you can select events and then click Drill Down. For more information, see Tanium Interact User Guide: Drill Down.

To filter the events, use the Filter by text box, or expand the Filters section.

To view earlier events, ask a question using one of the Integrity Monitor sensors. For more information, see Use sensors to view events or event counts. You can view events from the past 250 hours.

Tanium Client Recorder Extension disregards events caused by the Tanium Client, even on watched paths.

Pause and resume the event view

To temporarily stop incoming events from being added to the results grid, click Pause in the results grid. To resume viewing incoming events in real time, click Resume .

The event view automatically pauses when you select events.

Download the full list of events or selected events

To download the full list of events in CSV format, click Export in the results grid.

To download the information from specific events in CSV format, select events from the results grid, and click Export.

Use sensors to view events or event counts

You can ask questions in Interact with the Integrity Monitor sensors to view events with specific criteria or event counts. For more information about asking questions, see Tanium Interact User Guide: Asking questions and searching endpoints.

Sensors provided by Integrity Monitor to view events and event counts
Sensor Description Parameters Returned Columns
Integrity Monitor - Monitor Events

Returns recorded events. The sensor combines events that share the same path, user, process, and change type into groups by time period.

  • Row Limit: The maximum number of rows to return. Each row is a group of matching events for a time period.

  • Monitor ID: The monitor from which you want to return events. The ID for each monitor appears on its detail page. Specify 0 to return events from all monitors.
  • Rolling Minute Offset: The number of minutes into the past from which to return events. You can view events as old as 15,000 minutes (250 hours).
  • Timestamp minute resolution: The number of minutes to use in grouping matching events.
  • Exclude label list: Specifies whether the CSV Label Search field contains labels that should be excluded from the returned results.
  • CSV Label Search: Labels to include or exclude in the results, depending on whether you enable Exclude label list:
    • Disabled: The returned results include only events with the labels you specify.
    • Enabled: The returned results include only events that do not have the labels you specify.
  • Event Time

  • File Path (returns a registry path when applicable)

  • Change Type

  • Process Path

  • User

  • Detail

  • Hash
  • Hashed At

  • Labels

  • Watchlists

  • ServiceNow Change IDs
Integrity Monitor - Monitor Events Unlabeled Returns recorded events that do not have labels applied. The sensor combines events that share the same path, user, process, and change type into groups by time period. For more information about labels, see Labeling events with rules.

  • Row Limit: The maximum number of rows to return. Each row is a group of matching events for a time period.

  • Monitor ID: The monitor from which you want to return events. The ID for each monitor appears on its detail page. Specify 0 to return events from all monitors.
  • Rolling Minute Offset: The number of minutes into the past from which to return events. You can view events as old as 15,000 minutes (250 hours).
  • Timestamp minute resolution: The number of minutes to use in grouping matching events.
  • Event Time

  • File Path (returns a registry path when applicable)

  • Change Type

  • Process Path

  • User

  • Detail

  • Hash
  • Hashed At

  • Watchlists
Integrity Monitor - Event Count Returns ranges of event counts. You can use this sensor in questions to help identify which endpoints have high numbers of events and might require investigation. None Integrity Monitor - Event Count
Integrity Monitor - Event Count By Watchlist Returns ranges of event counts specific to each watchlist. You can use this sensor in questions to help identify which endpoints have high numbers of events for certain watchlists and might require investigation, or which watchlists generate high numbers of events and might require tuning. None

  • Watchlist ID

  • Event Count