After a monitor and watchlists are deployed to endpoints, events get returned that match the deployed watchlists.
You can view an overview of events that are returned by a monitor or that have a specific label.
- To view events returned by a monitor in the past day: From the Integrity Monitor menu, go to Monitors and click the name of the monitor for which you want to see events.
- To view events from the past day that have a specific label: From the Integrity Monitor menu, go to Labels, click the name of the label for which you want to see events, and click the Events tab.
In this view, Integrity Monitor aggregates events that share the same path, user, process, and operation every 15 minutes to help you identify common events on monitored endpoints. To retrieve more specific information about events and the endpoints where they occurred, you can select events and then click Drill Down. For more information, see Tanium Interact User Guide: Managing question results.
To filter the events, use the Filter by text box, or expand the Filters section.
To view earlier events, ask a question using one of the Integrity Monitor sensors: see Use sensors to view events or event counts. You can view events from the past 250 hours.
Tanium Client Recorder Extension disregards events caused by the Tanium Client, even on watched paths.
Pause and resume the event view
To temporarily stop incoming events from being added to the results grid, click Pause in the results grid. To resume viewing incoming events in real time, click Resume .
The event view automatically pauses when you select events.
Download the full list of events or selected events
To download the full list of events in CSV format, click Export in the results grid.
To download the information from specific events in CSV format, select events from the results grid, and click Export.
You can ask questions in Interact with the Integrity Monitor sensors to view events with specific criteria or event counts. For more information about asking questions, see Tanium Interact User Guide: Asking questions.
|Integrity Monitor - Monitor Events||
Returns recorded events. The sensor combines events that share the same path, user, process, and change type into groups by time period.
|Integrity Monitor - Monitor Events Unlabeled||Returns recorded events that do not have labels applied. The sensor combines events that share the same path, user, process, and change type into groups by time period. For more information about labels, see Labeling events with rules.||
|Integrity Monitor - Monitor Event Count||Returns ranges of event counts. You can use this sensor in questions to help identify which endpoints have high numbers of events and might require investigation.||None||Integrity Monitor - Event Count|
|Integrity Monitor - Event Count By Watchlist||Returns ranges of event counts specific to each watchlist. You can use this sensor in questions to help identify which endpoints have high numbers of events for certain watchlists and might require investigation, or which watchlists generate high numbers of events and might require tuning.||None||
Last updated: 9/2/2022 1:18 PM | Feedback