Working with events

To view the events for a deployed a monitor, click Monitors in the Integrity Monitor menu, and then click the name of the monitor for which you want to see events. In the overview of events, Integrity Monitor aggregates events that share the same path, user, process, and operation every 15 minutes to help you identify common events on monitored endpoints.

How you work with events is affected by whether you are using a monitor that is configured to use legacy labeling or enhanced labeling. For more information about labeling methods, see Get started quickly with Integrity Monitor.

Filter results

Use advanced filters to filter events based on match conditions, including column values.

  1. From the Integrity Monitor menu, click Monitors, and then click the name of the monitor.
  2. Expand Advanced Filtering, and then click Add .
  3. Click Add Row to add a condition, or click Add Group to nest a Boolean operator.
  4. For each condition that you add, select a filter field and operator, enter a filter value, and then click Apply.

Use sensors to view events

Integrity Monitor provides the following sensors to view events:

  • Integrity Monitor File Events Overview: Included columns for each event are process path, file or registry path, user, change type, date, hour, minute group, detail. The Current Results tab for a monitor that uses legacy labeling uses this sensor.

    Using the minute group instead of the full event time stamp allows the events to be grouped.

  • Integrity Monitor File Events Details: Included columns for each event are time stamp, process path, file or registry path, user, change type, detail, and watchlists. This sensor is available to use in Saved Questions in Connect.

For monitors that use enhanced labeling, Integrity Monitor also provides the following sensors to view events:

  • Integrity Monitor Labeled File Events Details: This sensor contains the same columns as the Integrity Monitor File Events Details sensor, but it returns only events that have labels applied.

    The results grid for a monitor with enhanced labeling uses the Integrity Monitor Filtered File Events Overview and Integrity Monitor Filtered File Events Details sensors, which include a parameter for a filter expression in JSON format. Though you can ask questions in Interact using these sensors, it is a best practice to use the Integrity Monitor Labeled File Events Details sensor in questions.

  • Integrity Monitor Unlabeled File Events Overview: This sensor contains the same columns as the Integrity Monitor File Events Overview sensor, but it returns only events that do not have labels applied.
  • Integrity Monitor Unlabeled File Events Details: This sensor contains the same columns as the Integrity Monitor File Events Details sensor, but it returns only events that do not have labels applied.

Run tools status sensor to resolve no results error

When an endpoint has no resulting events, the event sensors display No integrity violations found.

If [no results] is displayed, there is an error on the endpoint. Ask a question with the Integrity Monitor Endpoint Tools Status sensor in Interact to identify the error. For more information about asking questions, see Tanium Interact User Guide: Asking questions. For help in resolving the error, see Reference: Endpoint monitoring status errors.

Learn an event from current results

Currently, if you are using a monitor that is configured for enhanced labeling, you cannot learn an event from current results.

  1. To create a rule from an event, select an event and click Learn Event.
  2. On the Create Rule page, the Rule Criteria fields are pre-populated with criteria from the event that you selected. Complete the other necessary fields and click Create.

For more information about rules, see Working with rules.

Label current results

Use labels to annotate events or to indicate action that needs to be taken on events.

Currently, if you are using a monitor that is configured for enhanced labeling, you cannot manually add labels to events, add notes to labeled events, or access label history. You can customize labels and use rules to apply them. For more information about using rules, see Working with rules.

Integrity Monitor includes these default labels:

  • Important
  • Suspicious
  • Expected
  • Ignored
  • Planned

By default, the labels Important and Suspicious are configured to notify Connect. The Connect icon appears with these labels.

In the results grid for a monitor, select one or more events, click Label, and then click the label you want to apply.

Labels applied to an event appear in the Labels column.



Integrity Monitor provides shortcuts to toggle the first 10 labels using the number keys. Each number corresponds to the listed order of the labels. For example, if Important is the third label in the list, then you can select one or more events and press the 3 key to apply the Important label. Press the 3 key with an event selected that already has the Important label to remove the label.

Use rules to automatically label events and get notified of events of concern. For more information, see Working with rules.

Remove a label from an event

To remove a label from an event, follow the same steps to apply the label to that event. Select the event, and then select the label from the Label drop-down list.

Customize labels

Any change to a default label affects every monitor.

  1. From the Integrity Monitor menu, click Labels, and then click Legacy Labeling or Enhanced Labeling to view the list of legacy or enhanced labels.

    For more information about legacy and enhanced labels, see Get started quickly with Integrity Monitor.

  2. Click Edit for the label you want to edit, or click Create Label to create a new label.
  3. Edit the Name, Color, and Description.
  4. For legacy labels only, select Notify Connect to include the label in results sent to Connect.
  5. Click Save.

To delete a label, click Delete .

You can also create and apply a new label from the results grid by selecting one or more events and clicking Label > Create Label.

Add notes to labels

You can add notes to labeled events to provide additional information, such as action being taken.

To add a note to an existing label and apply it to an event:

  1. In the results grid for a monitor, select the events to which you want to apply the label.
  2. Click Label > Label with Note.
  3. In the Label with Note dialog, select a Label to apply.
  4. In the Note field, enter a note, and then click Save.

After a label with a note is applied to an event, a note icon appears with the label. Hover over the icon to see the note.





To edit a note or remove it from a label, modify or clear the Note field in the Label with Note dialog.

Review label history

  1. To view historical records of how events have been labeled, click the Label History tab.
  2. Expand an event to see label details and any notes.

Add or edit notes in label history

  1. Select one or more labels and click Manage Note.
  2. Enter a new note or edit a note in the Manage Note dialog and click Save.

Filter label history

  1. Expand Filter Results.
  2. Select a filter field and operator, enter a filter value, and click Apply.
  3. To further narrow results with additional filters, click Add to add a row or a group.
  4. Click Search after you have entered all filter criteria.




For a monitor that uses legacy labeling, the following limits apply to labeled events:

  • Integrity Monitor deletes labeled events from the label history after 308 days.
  • Integrity Monitor stores up to 1 million labeled events. When you exceed 1 million labeled events, Integrity Monitor deletes the oldest labeled events to bring the total count back down to 1 million. Labeled events are kept for at least 72 hours after they are created, regardless of whether the total count is greater than 1 million in that time period.
  • If reporting is enabled for a monitor and you exceed 1 million labeled events before the report is scheduled to run, Integrity Monitor deletes the oldest labeled events to bring the total count back down to 1 million. A new report is created that includes events since the last report and any events that have been deleted.

Use Connect to send events

Sending events from monitors that use enhanced labeling

For monitors that use enhanced labeling, you can create saved questions that include any of the sensors provided by Integrity monitor, and then use those saved questions as connection sources in Connect.

When sending events to a SIEM, SOAR, or other data lake, send only unlabeled events and those required for regulatory compliance and auditing. (In some cases, this might include all events.)

  1. Create a saved question that returns the events you want to report using the Integrity Monitor Labeled File Events Details or Integrity Monitor Unlabeled File Events Details sensor. Include any other sensors you want to include as columns in the data. For more information, see Tanium Interact User Guide: Managing saved questions.
  2. From the Connect menu, click Connections.
  3. Click Create Connection > Create to create a new connection, and configure the settings in the General Information section.
  4. For the connection source, select Saved Question, select the saved question you created, and configure any other source settings as appropriate. For more information, see Tanium Connect User Guide: Connection sources.
  5. Configure the destination settings for the connection. For more information, see Tanium Connect User Guide: Connection destinations.
  6. Configure remaining settings, and click Create Connection to save the new connection.

Email connections, including those used to create incidents in ServiceNow, are unavailable in TaaS.

Create incidents for unlabeled events in ServiceNow Incident Management

If you use ServiceNow Incident Management, you can create incidents based on unlabeled events by using an email destination in Connect and configuring email actions in ServiceNow to create incidents.

  1. Configure inbound email actions in ServiceNow to create incidents based on emails from Tanium. For more information, see ServiceNow Product documentation.
  2. Create a saved question using the Integrity Monitor Unlabeled File Events Details sensor, and create a connection in Connect using that saved question as the connection source.
  3. Expand the Advanced section under Source and Destination, and select Flatten Results.
  4. For the connection destination, select Email.
  5. For Subject, enter a subject that ServiceNow expects for emails intended to create incidents for unlabeled events from Integrity Monitor.
  6. Enter a From Address, and configure the settings in the Mail Configuration section for your environment.
  7. For To Addresses, enter the address where your ServiceNow instance receives email.
  8. Expand the Advanced Settings section, select Attachment, and enter an Attachment File Name that ends with .csv.
  9. For Format, select CSV, and select Include Headers.
  10. Configure remaining settings, and click Create Connection to save the new connection.

For more information about configuring email destinations in Connect, see Tanium Connect User Guide: Configuring email destinations.

Manually run the new email connection while monitoring incidents in ServiceNow to make sure that new incidents are successfully created. When a new incident is received, open it and make sure that it includes a CSV file that contains the expected information.

Sending events from monitors that use legacy labeling

  1. From the results grid for a monitor, click Send All Events To Connect.
  2. In the Create Connection prompt, click Yes.

    The connection is created using the Integrity Monitor File Events Overview saved question for the current monitor as the source, and results are sent to a CSV file by default.

  3. To modify the connection in Connect, click All events connection > Edit.
  4. On the Edit Connection page in Connect, configure the destination and any other appropriate settings.

For more information about Connect, see Tanium Connect User Guide: Connect overview.

To navigate back to Integrity Monitor, use the Main menu.

To remove the connection, click All events connection > Delete.

Send only labeled events

  1. Click the Label History tab, and then click Send Label Events To Connect.
  2. In the Create Connection prompt, click Yes.

    The connection is created using the Tanium Integrity Monitor event group and the current monitor as the source, and by default, results are sent to a CSV file.

    When you expand an event on the Label History tab, the Connect icon appears with labels that are configured to be sent to Connect. A check mark appears in the Connect column to confirm that a notification has been sent to Connect.

    For information on configuring which labels are sent to Connect, see Customize labels.

  3. To modify the connection in Connect, click Label Events Connection > Edit.

  4. On the Edit Connection page in Connect, configure the destination and any other appropriate settings.






Adjust the interval at which labeled events are sent

  1. From the Integrity Monitor Home page, click Settings , and then click the General Settings tab.
  2. Select a Labeled Event Sync Interval.

    This setting determines the interval that Integrity Monitor sends labeled results to Connect and that Connect sends these labeled results to the destination. The default value is 30 minutes.

  3. Click Save.

Configure reports for current results

Currently, if you are using a monitor that is configured for enhanced labeling, you cannot use reports. Instead, you can use saved questions in Connect to send events to reports and external destinations. For more information, see Sending events from monitors that use enhanced labeling.

  1. From the Integrity Monitor menu, click Monitors, and then click the name of the monitor.
  2. Click the Reports tab, and then click Enable Reports.

    If you want to stop reporting at any time for a specific monitor, click Disable reporting for this monitor.

  3. To view reports for a monitor, select the monitor and click the Reports tab. The most recent reports is listed first. A report shows all label events for the defined weekly report interval. Columns in the report for a monitor match the label history for that monitor.
  4. The report shows labels that were created during the time interval that the report covers, so if an event occurred outside that time range, but was labeled within the time range, it appears in the report. A report could cover more or less than 7 days of labels if you change the report interval. Integrity Monitor reports in this manner to prevent duplication or gaps in the reports.

    Example 1: Reports run on Sunday at midnight. On Tuesday, you change the report to run on Wednesday at midnight. The first report on Wednesday covers 3 days.

    Example 2: Reports run on Sunday at midnight. On Thursday, you change the report to run on Wednesday at midnight. The first report on Wednesday covers 10 days.

To download a report as a zipped CSV file, click Download.

To delete a report, click Delete .

Set the weekly report schedule

By default, when you choose to run reports for a monitor, they are run every Sunday at 12:00 AM UTC. To change the schedule:

  1. From the Integrity Monitor Home page, click Settings , and then click the General Settings tab.
  2. In the Weekly Report Schedule section, edit the Day of the Week and Time fields as appropriate for all reports.