Integrity monitoring events
For general best practices related to events, see Events in Deep Security.
To see the integrity monitoring events captured by Deep Security, go to Events & Reports > Events > Integrity Monitoring Events.
What information is displayed for integrity monitoring events?
These columns can be displayed on the Integrity Monitoring Events page. You can click Columns to select which columns are displayed in the table.
- Time: Time the event took place on the computer.
- Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
- Reason: The integrity monitoring rule associated with this event.
- Tag(s): Event tags that are applied to this event.
- Change: The change detected by the integrity rule. Can be: Created, Updated, Deleted, or Renamed.
- Rank: The ranking system provides a way to quantify the importance of events. By assigning "asset values" to computers, and assigning "severity values" to rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank.
- Severity: The integrity monitoring rule's severity value
- Type: Type of entity from which the event originated
- Key: Path and file name or registry key from which the event originated
- User: User ID of the file owner
- Process: Process from which the event originated
- Event Origin: The Deep Security component from which the event originated
List of all integrity monitoring events
ID | Severity | Event | Notes |
8000 | Info | Full Baseline Created | Created when the agent has been requested to build a baseline or went from 0 integrity monitoring rules to n (causing the baseline to be built). This event includes information on the time taken to scan (ms), and number of entities cataloged. |
8001 | Info | Partial Baseline Created | Created when the agent had a security configuration where one or more integrity monitoring rules changed. This event includes information on the time taken to scan (ms), and number of entities catalogued. |
8002 | Info | Scan for Change Completed | Created when the agent is requested to do a full or partial on-demand scan. This event includes information on the time taken to scan (ms), and number of CHANGES catalogued. (Ongoing scans for changes based on the FileSystem Driver or the notify do not generate an 8002 event.) |
8003 | Error | Unknown Environment Variable in Integrity Monitoring Rule | Created when a rule uses a ${env.EnvironmentVar} and "EnvironmentVar" is not a known environment variable. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and the name of the unknown environment variable. |
8004 | Error | Bad Base in Integrity Monitoring Rule | Created when a rule contains an invalid base directory or key. For example, specifying a FileSet with a base of "c:\foo\d:\bar" would generate this event, or the invalid value could be the result of environment variable substitution the yields a bad value. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and the bad base value. |
8005 | Error | Unknown Entity in Integrity Monitoring Rule | Created when an unknown EntitySet is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and a comma-separated list of the unknown EntitySet names encountered. |
8006 | Error | Unsupported Entity in Integrity Monitoring Rule | Created when a known but unsupported EntitySet is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and a comma-separated list of the unsupported EntitySet names encountered. Some EntitySet types such as RegistryKeySet are platform-specific. |
8007 | Error | Unknown Feature in Integrity Monitoring Rule | Created when an unknown feature is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unknown feature names encountered. Examples of valid feature values are "whereBaseInOtherSet", "status", and "executable". |
8008 | Error | Unsupported Feature in Integrity Monitoring Rule | Created when a known but unsupported feature is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unsupported feature names encountered. Some feature values such as "status" (used for Windows service states) are platform-specific. |
8009 | Error | Unknown Attribute in Integrity Monitoring Rule | Created when an unknown attribute is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unknown attribute names encountered. Examples of valid attribute values are "created", "lastModified" and "inodeNumber". |
8010 | Error | Unsupported Attribute in Integrity Monitoring Rule | Created when a known but unsupported attribute is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unsupported attribute names encountered. Some attribute values such as "inodeNumber" are platform-specific. |
8011 | Error | Unknown Attribute in Entity Set in Integrity Monitoring Rule | Created when an unknown EntitySet XML attribute is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example,FileSet), and a comma-separated list of the unknown EntitySet attribute names encountered. You would get this event if you wrote <FileSet dir="c:\foo"> instead of <FileSet base="c:\foo"> |
8012 | Error | Unknown Registry String in Integrity Monitoring Rule | Created when a rule references a registry key that doesn't exist. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and the name of the unknown registry string. |
8013 | Error | Invalid WQLSet was used. Namespace or WQL query was missing. | Indicates that the namespace is missing from a WQL query because an integrity rule XML is incorrectly formatted. This can occur only in an advanced case, with custom integrity rules that use and monitor WQL queries. |
8014 | Error | Invalid WQLSet was used. An unknown provider value was used. | |
8015 | Warning | Inapplicable Integrity Monitoring Rule | Can be caused by a number of reasons, such as platform mismatch, nonexistent target directories or files, or unsupported functionality. |
8016 | Warning | Suboptimal Integrity Rule Detected | |
8050 | Error | Regular expression could not be compiled. Invalid wildcard was used. |