Labeling events

Use labels to annotate events or to indicate which events need investigation or remediation, and use rules to automatically label events based on their attributes.

With enhanced labeling, you can use rules to automatically apply labels to events. With basic labeling, you can use rules to automatically apply labels to events, or you can manually apply labels to events. For more information about labeling methods, see Basic labeling and enhanced labeling.

Integrity Monitor includes the following default labels:

  • Important
  • Suspicious
  • Expected
  • Ignored
  • Planned

When you are using basic labeling, the labels Important and Suspicious are configured so that events that receive these labels are sent to Connect by default. The Connect icon appears with these labels. For more information, see Send events from basic monitors.

For basic labeling, the following limits apply to labeled events:

  • Integrity Monitor deletes labeled events after 308 days.
  • Integrity Monitor stores up to 1 million labeled events. When you exceed 1 million labeled events, Integrity Monitor deletes the oldest labeled events to bring the total count back down to 1 million. Labeled events are kept for at least 72 hours after they are created, regardless of whether the total count is greater than 1 million in that time period.
  • If reporting is enabled for a monitor and you exceed 1 million labeled events before the report is scheduled to run, Integrity Monitor deletes the oldest labeled events to bring the total count back down to 1 million. A new report is created that includes events since the last report and any events that have been deleted.

Customize labels

You can customize the default labels or create you own labels. After you define labels, you can associate the labels with rules.

Any change to a default label affects every monitor.

  1. From the Integrity Monitor menu, go to Labels > Enhanced Labels or Labels > Basic Labels to view the list of enhanced or basic labels.

    For more information about basic and enhanced labels, see Basic labeling and enhanced labeling.

  2. Click Edit in the row for the label you want to edit, or click Create Label to create a new label.
  3. Edit the Name and Description.

    You cannot edit the name of an existing label.

  4. (Basic labels) Select a Color, and to include the label in events sent to Connect, select Notify Connect.
  5. Click Save.

To delete a label, click Delete in the row for the label.

You can also create and apply a new label from the results grid by selecting one or more events and clicking Label > Create Label.

Use rules to automatically label events

Create rules to automatically label events based on their attributes. You can configure rules to help differentiate among planned, expected, ignored, or suspicious changes, or you can use rules to apply custom labels to suit your environment.

Each rule applies to a single monitor and can apply a single label based on the criteria you specify.

Create rules to apply default labels as appropriate:

  • Create rules that apply the Planned label to events that occur during an approved change window. You can also integrate Integrity Monitor with your IT workflow in ServiceNow Change Management to determine change windows based on change requests or change tasks. For more information, see Integrating with IT workflows.
  • Create rules that apply the Expected label to events for changes performed by approved administrator or service accounts.
  • Create rules that apply the Suspicious label to events for changes that normally should not occur.

Create a rule

  1. From the Integrity Monitor menu, go to Rules > Enhanced Rules or Rules > Basic Rules, depending on whether you want the rule to apply to an enhanced monitor and enhanced labeling or a basic monitor and basic labeling. For more information about labeling methods, see Basic labeling and enhanced labeling.
  2. On the Enhanced Rules or Basic Rules page, click Create Rule.
  3. In the Summary section, enter a Name and Description.
  4. In the Rule Criteria section, select a filter field and operator, enter the appropriate criteria, and click Apply.
  5. Click Row or Grouping to add additional criteria and groups of conditions as necessary, and select AND or OR to determine how the conditions are applied.
  6. In the Actions section, select the Monitor to which you want to apply this rule and the Label you want to apply to events that match the rule. (Optional) Enter a Label Note to be applied with the label.
  7. Click Create.

Newly created rules only affect new events. Past events cannot be labeled by a new rule.

For basic monitors, it might take an hour or more for a new event that meets the rule criteria to be labeled. For enhanced monitors, events are labeled by rules as they occur and appear within approximately two minutes.

Learn a rule from an event (basic labeling)

Create a new rule based on a specific event.

If you are using a monitor that is configured for enhanced labeling, you cannot learn an event.

  1. From the results grid for a monitor, label, or rule, select an event and click Learn Event. For more information about viewing events, see View events for a monitor, label, or rule.
  2. On the Create Rule page, the Rule Criteria settings are pre-populated with criteria from the event that you selected. Complete the other necessary fields and click Create. For more information about configuring the rule, see Create a rule.

Import rules

You can also import multiple rules from a CSV file.

  1. On the Enhanced Rules or Basic Rules page, click Import Rules .
  2. In the Import Rules window, click Choose File.

  3. Browse to a CSV file, and click Open.

  4. Click Import. The imported rules appear on the Enhanced Rules or Basic Rules page.

Example Tanium CSV file used to import rules

name,description,note,monitor_id,label_id,field,operator,value

app1 generated events,events generated by app1,CR12345,1,5,,,

,,,,,process,eq,C:/Program Files/app1/app1.exe

,,,,,file,contains,C:/Program Files/app1

rule 2,rule 2 description,rule 2 note,1,5,,,

,,,,,event_timestamp,gt,2018-06-01T06:00:00.000Z

,,,,,event_timestamp,lt,2018-07-01T06:00:00.000Z

,,,,,file,contains,C:/Program Files


The first line of the file defines the field names of name, description, note, monitor_id, label_id, field, operator, and value. The first line for a rule defines the settings for a rule using the name, description, note, monitor_id, and label_id, and the values for field, operator, and value are left blank. The subsequent lines have blank values for name, description, note, monitor_id, and label_id, and define each condition for the rule using the field, operator, and value fields. Imported conditions are in a single group and use the AND operator.

The preceding CSV example contains two rules that each apply to the monitor with ID 1, and apply the label with ID 5:

  • The rule named app1 generated events defines two conditions.
  • The rule named rule 2 defines three conditions.

Deploy rules (enhanced labeling)

Enhanced rules are deployed to endpoints to apply labels to events directly on endpoints. (Basic rules are applied on the Module Serverin TaaS and are not deployed to endpoints.)

After you create, delete, or save updates to an enhanced rule, a Deploy Now banner appears, and Pending Active appears in the Status column for the rule on the Enhanced Rules page. To deploy the updates to the configured endpoints, click Deploy Now in the banner or Deploy Rules on the Enhanced Rules page.

When you deploy rules, you deploy all rules. When you take an action on rules (such as creating, deactivating, or deleting), you are prompted to deploy all rules. For best results, create all planned rules and then deploy them at the same time.

If you have enabled Endpoint Configuration, rule deployment must be approved in Endpoint Configuration before rules are deployed to endpoints.

Rules are automatically redeployed when the Integrity Monitor module is upgraded in TaaS, which could occur without prior notice. If you have not yet deployed a newly created rule, it is automatically deployed if the module is upgraded before you manually deploy it.

Deactivate a rule

Deactivate a rule if you no longer want the rule to run. On the Enhanced Rules or Basic Rules page, select the rule you want to deactivate and click Deactivate.

Unlike deleting a rule, deactivating a rule does not delete any labeled events associated with the rule.

For auditing reasons, deactivation is permanent. If you want to reactivate the rule, you must copy it and save the new rule.

Duplicate a rule

For auditing reasons, you cannot directly edit a rule or reactivate a deactivated rule. However, you can duplicate an existing rule, modify settings, and save the new rule.

  1. From the Enhanced Rules or Basic Rules page, click Duplicate in the row for the rule you want to duplicate.
  2. On the Create Rule page, the settings are pre-populated to match the rule you copied, and the default Rule Name indicates it is a duplicated rule.
  3. Edit the rule settings as necessary and click Save.

Delete a rule

To delete a rule, on the Enhanced Rules or Basic Rules page, select the rule and click Delete . For enhanced rules, the deletion is pending until the next time you deploy rules.

If you delete a rule, you also delete all labeled events that are associated with that rule.

Manually label events (basic labeling)

If you are using a monitor that is configured for enhanced labeling, you cannot manually add labels to events, or add notes to labeled events. You can, however, use rules to apply labels. For more information about using rules, see Use rules to automatically label events.

In the results grid for a basic monitor, select one or more events, click Label, and then click the label you want to apply.

Labels applied to an event appear in the Labels column.

You can use the number keys as keyboard shortcuts to toggle the first 10 labels. Each number corresponds to the listed order of the labels. For example, if Important is the third label in the list, then you can select one or more events and press 3 to apply the Important label. Press 3 with an event selected that already has the Important label to remove the label.

You can also use rules to automatically label events. For more information, see Labeling events.

Remove a label from an event

To remove a label from an event, follow the same steps to apply the label to that event. Select the event, and then select the label from the Label drop-down list.

Add notes to labels

You can add notes to labeled events to provide additional information, such as action being taken.

To add a note to an existing label and apply it to an event:

  1. In the results grid for a monitor, select the events to which you want to apply the label.
  2. Click Label > Label with Note.
  3. Select a Label to apply, enter a note, and click Save.

After a label with a note is applied to an event, hover over the note icon to see the note.

To edit a note or remove it from a label, modify or clear the Note field in the Label with Note dialog.