Integrity monitoring events

For general best practices related to events, see About Deep Security event logging.

To see the integrity monitoring events captured by Deep Security, go to Events & Reports > Events > Integrity Monitoring Events.

What information is displayed for integrity monitoring events?

These columns can be displayed on the Integrity Monitoring Events page. You can click Columns to select which columns are displayed in the table.

  • Time: Time the event took place on the computer.
  • Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
  • Reason: The integrity monitoring rule associated with this event.
  • Tag(s): Event tags that are applied to this event.
  • Change: The change detected by the integrity rule. Can be: Created, Updated, Deleted, or Renamed.
  • Rank: The ranking system provides a way to quantify the importance of events. By assigning "asset values" to computers, and assigning "severity values" to rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank.
  • Severity: The integrity monitoring rule's severity value
  • Type: Type of entity from which the event originated
  • Key: Path and file name or registry key from which the event originated
  • User: User ID of the file owner
  • Process: Process from which the event originated
  • Event Origin: The Deep Security component from which the event originated

List of all integrity monitoring events

ID Severity Event Notes
8000 Info Full Baseline Created Created when the agent has been requested to build a baseline or went from 0 integrity monitoring rules to n (causing the baseline to be built). This event includes information on the time taken to scan (ms), and number of entities cataloged.
8001 Info Partial Baseline Created Created when the agent had a security configuration where one or more integrity monitoring rules changed. This event includes information on the time taken to scan (ms), and number of entities catalogued.
8002 Info Scan for Change Completed Created when the agent is requested to do a full or partial on-demand scan. This event includes information on the time taken to scan (ms), and number of CHANGES catalogued. (Ongoing scans for changes based on the FileSystem Driver or the notify do not generate an 8002 event.)
8003 Error Unknown Environment Variable in Integrity Monitoring Rule Created when a rule uses a ${env.EnvironmentVar} and "EnvironmentVar" is not a known environment variable. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and the name of the unknown environment variable.
8004 Error Bad Base in Integrity Monitoring Rule Created when a rule contains an invalid base directory or key. For example, specifying a FileSet with a base of "c:\foo\d:\bar" would generate this event, or the invalid value could be the result of environment variable substitution the yields a bad value. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and the bad base value.
8005 Error Unknown Entity in Integrity Monitoring Rule Created when an unknown EntitySet is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and a comma-separated list of the unknown EntitySet names encountered.
8006 Error Unsupported Entity in Integrity Monitoring Rule Created when a known but unsupported EntitySet is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and a comma-separated list of the unsupported EntitySet names encountered. Some EntitySet types such as RegistryKeySet are platform-specific.
8007 Error Unknown Feature in Integrity Monitoring Rule Created when an unknown feature is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unknown feature names encountered. Examples of valid feature values are "whereBaseInOtherSet", "status", and "executable".
8008 Error Unsupported Feature in Integrity Monitoring Rule Created when a known but unsupported feature is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unsupported feature names encountered. Some feature values such as "status" (used for Windows service states) are platform-specific.
8009 Error Unknown Attribute in Integrity Monitoring Rule Created when an unknown attribute is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unknown attribute names encountered. Examples of valid attribute values are "created", "lastModified" and "inodeNumber".
8010 Error Unsupported Attribute in Integrity Monitoring Rule Created when a known but unsupported attribute is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example, FileSet), and a comma-separated list of the unsupported attribute names encountered. Some attribute values such as "inodeNumber" are platform-specific.
8011 Error Unknown Attribute in Entity Set in Integrity Monitoring Rule Created when an unknown EntitySet XML attribute is encountered in an integrity monitoring rule. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, the type of entity set (for example,FileSet), and a comma-separated list of the unknown EntitySet attribute names encountered. You would get this event if you wrote <FileSet dir="c:\foo"> instead of <FileSet base="c:\foo">
8012 Error Unknown Registry String in Integrity Monitoring Rule Created when a rule references a registry key that doesn't exist. This event includes the ID of the integrity monitoring rule containing the problem, the name of the integrity monitoring rule, and the name of the unknown registry string.
8013 Error Invalid WQLSet was used. Namespace or WQL query was missing. Indicates that the namespace is missing from a WQL query because an integrity rule XML is incorrectly formatted. This can occur only in an advanced case, with custom integrity rules that use and monitor WQL queries.
8014 Error Invalid WQLSet was used. An unknown provider value was used.
8015 Warning Inapplicable Integrity Monitoring Rule Can be caused by a number of reasons, such as platform mismatch, nonexistent target directories or files, or unsupported functionality.
8016 Warning Suboptimal Integrity Rule Detected
8050 Error Regular expression could not be compiled. Invalid wildcard was used.