Views:
For general best practices related to events, see Events in Server & Workload Protection.
To see the Integrity Monitoring events captured by Server & Workload Protection, go to Events & Reports > Events > Integrity Monitoring Events.

What information is displayed for Integrity Monitoring events?

These columns can be displayed on the Integrity Monitoring Events page. You can click Columns to select which columns are displayed in the table.
  • Time: Time the event took place on the computer.
  • Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
  • Reason: The Integrity Monitoring rule associated with this event.
  • Tag(s): Event tags that are applied to this event.
  • Change: The change detected by the integrity rule. Can be: Created, Updated, Deleted, or Renamed.
  • Rank: The ranking system provides a way to quantify the importance of events. By assigning "asset values" to computers, and assigning "severity values" to rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank.
  • Severity: The Integrity Monitoring rule's severity value
  • Type: Type of entity from which the event originated
  • Key: Path and file name or registry key from which the event originated
  • User: User ID of the file owner
  • Process: Process from which the event originated
  • Event Origin: The Server & Workload Protection component from which the event originated

List of all Integrity Monitoring events

ID
Severity
Event
Notes
8000
Info
Full Baseline Created
Created when the agent has been requested to build a baseline or went from 0 Integrity Monitoring rules to n (causing the baseline to be built). This event includes information on the time taken to scan (ms), and number of entities cataloged.
8001
Info
Partial Baseline Created
Created when the agent had a security configuration where one or more Integrity Monitoring rules changed. This event includes information on the time taken to scan (ms), and number of entities catalogued.
8002
Info
Scan for Change Completed
Created when the agent is requested to do a full or partial on-demand scan. This event includes information on the time taken to scan (ms), and number of CHANGES catalogued. (Ongoing scans for changes based on the FileSystem Driver or the notify do not generate an 8002 event.)
8003
Error
Unknown Environment Variable in Integrity Monitoring Rule
Created when a rule uses a ${env.EnvironmentVar} and "EnvironmentVar" is not a known environment variable. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, and the name of the unknown environment variable.
8004
Error
Bad Base in Integrity Monitoring Rule
Created when a rule contains an invalid base directory or key. For example, specifying a FileSet with a base of "c:\foo\d:\bar" would generate this event, or the invalid value could be the result of environment variable substitution the yields a bad value. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, and the bad base value.
8005
Error
Unknown Entity in Integrity Monitoring Rule
Created when an unknown EntitySet is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, and a comma-separated list of the unknown EntitySet names encountered.
8006
Error
Unsupported Entity in Integrity Monitoring Rule
Created when a known but unsupported EntitySet is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, and a comma-separated list of the unsupported EntitySet names encountered. Some EntitySet types such as RegistryKeySet are platform-specific.
8007
Error
Unknown Feature in Integrity Monitoring Rule
Created when an unknown feature is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unknown feature names encountered. Examples of valid feature values are "whereBaseInOtherSet", "status", and "executable".
8008
Error
Unsupported Feature in Integrity Monitoring Rule
Created when a known but unsupported feature is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unsupported feature names encountered. Some feature values such as "status" (used for Windows service states) are platform-specific.
8009
Error
Unknown Attribute in Integrity Monitoring Rule
Created when an unknown attribute is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unknown attribute names encountered. Examples of valid attribute values are "created", "lastModified" and "inodeNumber".
8010
Error
Unsupported Attribute in Integrity Monitoring Rule
Created when a known but unsupported attribute is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unsupported attribute names encountered. Some attribute values such as "inodeNumber" are platform-specific.
8011
Error
Unknown Attribute in Entity Set in Integrity Monitoring Rule
Created when an unknown EntitySet XML attribute is encountered in an Integrity Monitoring rule. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, the type of entity set (for example,FileSet), and a comma-separated list of the unknown EntitySet attribute names encountered. You would get this event if you wrote <FileSet dir="c:\foo"> instead of <FileSet base="c:\foo">
8012
Error
Unknown Registry String in Integrity Monitoring Rule
Created when a rule references a registry key that doesn't exist. This event includes the ID of the Integrity Monitoring rule containing the problem, the name of the Integrity Monitoring rule, and the name of the unknown registry string.
8013
Error
Invalid WQLSet was used. Namespace or WQL query was missing.
Indicates that the namespace is missing from a WQL query because an integrity rule XML is incorrectly formatted. This can occur only in an advanced case, with custom integrity rules that use and monitor WQL queries.
8014
Error
Invalid WQLSet was used. An unknown provider value was used.
8015
Warning
Inapplicable Integrity Monitoring Rule
Can be caused by a number of reasons, such as platform mismatch, nonexistent target directories or files, or unsupported functionality.
8016
Warning
Suboptimal Integrity Rule Detected
8050
Error
Regular expression could not be compiled. Invalid wildcard was used.