For general best practices related to events, see Events in Server & Workload Protection.
To see the Integrity Monitoring events captured by Server & Workload Protection, go to Events & Reports > Events > Integrity Monitoring Events.
What information is displayed for Integrity Monitoring events?
These columns can be displayed on the Integrity Monitoring Events page. You can click
Columns to select which columns are displayed in the table.
- Time: Time the event took place on the computer.
- Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
- Reason: The Integrity Monitoring rule associated with this event.
- Tag(s): Event tags that are applied to this event.
- Change: The change detected by the integrity rule. Can be: Created, Updated, Deleted, or Renamed.
- Rank: The ranking system provides a way to quantify the importance of events. By assigning "asset values" to computers, and assigning "severity values" to rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank.
- Severity: The Integrity Monitoring rule's severity value
- Type: Type of entity from which the event originated
- Key: Path and file name or registry key from which the event originated
- User: User ID of the file owner
- Process: Process from which the event originated
- Event Origin: The Server & Workload Protection component from which the event originated
List of all Integrity Monitoring events
ID
|
Severity
|
Event
|
Notes
|
8000
|
Info
|
Full Baseline Created
|
Created when the agent has been requested to build a baseline or went from 0 Integrity
Monitoring rules to n (causing the baseline to be built). This event includes information
on the time taken to scan (ms), and number of entities cataloged.
|
8001
|
Info
|
Partial Baseline Created
|
Created when the agent had a security configuration where one or more Integrity Monitoring
rules changed. This event includes information on the time taken to scan (ms), and
number of entities catalogued.
|
8002
|
Info
|
Scan for Change Completed
|
Created when the agent is requested to do a full or partial on-demand scan. This event
includes information on the time taken to scan (ms), and number of CHANGES catalogued.
(Ongoing scans for changes based on the FileSystem Driver or the notify do not generate
an 8002 event.)
|
8003
|
Error
|
Unknown Environment Variable in Integrity Monitoring Rule
|
Created when a rule uses a ${env.EnvironmentVar} and "EnvironmentVar" is not a known
environment variable. This event includes the ID of the Integrity Monitoring rule
containing the problem, the name of the Integrity Monitoring rule, and the name of
the unknown environment variable.
|
8004
|
Error
|
Bad Base in Integrity Monitoring Rule
|
Created when a rule contains an invalid base directory or key. For example, specifying
a FileSet with a base of "c:\foo\d:\bar" would generate this event, or the invalid
value could be the result of environment variable substitution the yields a bad value.
This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, and the bad base value.
|
8005
|
Error
|
Unknown Entity in Integrity Monitoring Rule
|
Created when an unknown EntitySet is encountered in an Integrity Monitoring rule.
This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, and a comma-separated list of the unknown
EntitySet names encountered.
|
8006
|
Error
|
Unsupported Entity in Integrity Monitoring Rule
|
Created when a known but unsupported EntitySet is encountered in an Integrity Monitoring
rule. This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, and a comma-separated list of the unsupported
EntitySet names encountered. Some EntitySet types such as RegistryKeySet are platform-specific.
|
8007
|
Error
|
Unknown Feature in Integrity Monitoring Rule
|
Created when an unknown feature is encountered in an Integrity Monitoring rule. This
event includes the ID of the Integrity Monitoring rule containing the problem, the
name of the Integrity Monitoring rule, the type of entity set (for example, FileSet),
and a comma-separated list of the unknown feature names encountered. Examples of valid
feature values are "whereBaseInOtherSet", "status", and "executable".
|
8008
|
Error
|
Unsupported Feature in Integrity Monitoring Rule
|
Created when a known but unsupported feature is encountered in an Integrity Monitoring
rule. This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet),
and a comma-separated list of the unsupported feature names encountered. Some feature
values such as "status" (used for Windows service states) are platform-specific.
|
8009
|
Error
|
Unknown Attribute in Integrity Monitoring Rule
|
Created when an unknown attribute is encountered in an Integrity Monitoring rule.
This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet),
and a comma-separated list of the unknown attribute names encountered. Examples of
valid attribute values are "created", "lastModified" and "inodeNumber".
|
8010
|
Error
|
Unsupported Attribute in Integrity Monitoring Rule
|
Created when a known but unsupported attribute is encountered in an Integrity Monitoring
rule. This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet),
and a comma-separated list of the unsupported attribute names encountered. Some attribute
values such as "inodeNumber" are platform-specific.
|
8011
|
Error
|
Unknown Attribute in Entity Set in Integrity Monitoring Rule
|
Created when an unknown EntitySet XML attribute is encountered in an Integrity Monitoring
rule. This event includes the ID of the Integrity Monitoring rule containing the problem,
the name of the Integrity Monitoring rule, the type of entity set (for example,FileSet),
and a comma-separated list of the unknown EntitySet attribute names encountered. You
would get this event if you wrote <FileSet dir="c:\foo"> instead of <FileSet base="c:\foo">
|
8012
|
Error
|
Unknown Registry String in Integrity Monitoring Rule
|
Created when a rule references a registry key that doesn't exist. This event includes
the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity
Monitoring rule, and the name of the unknown registry string.
|
8013
|
Error
|
Invalid WQLSet was used. Namespace or WQL query was missing.
|
Indicates that the namespace is missing from a WQL query because an integrity rule
XML is incorrectly formatted. This can occur only in an advanced case, with custom
integrity rules that use and monitor WQL queries.
|
8014
|
Error
|
Invalid WQLSet was used. An unknown provider value was used.
|
|
8015
|
Warning
|
Inapplicable Integrity Monitoring Rule
|
Can be caused by a number of reasons, such as platform mismatch, nonexistent target
directories or files, or unsupported functionality.
|
8016
|
Warning
|
Suboptimal Integrity Rule Detected
|
|
8050
|
Error
|
Regular expression could not be compiled. Invalid wildcard was used.
|
|