FIM provides one central location for viewing all of the events detected across all of your assets. The Events tab contains capabilities to search for events, group by options, and download the results.
Use tabs in the Events section to quickly identify:
(1) All events detected across all of your assets, except ignored events.
(2) Events waiting to be reviewed. You can choose to ignore events or create incidents.
(3) Ignored events.
When you are searching for events in the All Events and Events Review tab, you can save these searches using the "Save this Search Query" option. Saved searches are available under “Manage Saved Searches” option.
Note: If you cannot see the saved search under the Manage Saved Searches option, press F5 or refresh the screen.
For more information, refer to the Search Action topic.
You can find events based on event data, file information, monitoring profile, and more. You can filters the events by days. You will find the filter beside the search events box. Note that if you select the "specific range" filter then the difference between the specified dates should not exceed by 365 days.
See also: Search Tutorial | Group By Option | Download search results
Clicking Event Details in the Quick Actions for an event brings up the Event Details page. This page provides complete information about the FIM event.
Have an event you don't need to track? Ignore it to move it out of your list.
Go to Events > Event Review and select specific events and choose Ignore Events from the Actions menu. Optionally, choose Ignore All Matching Events to ignore all events that are currently matching your query for the timeframe that you've selected. Ignored events are moved to the Ignored list. Note - You may get similar events in the future that will appear in your Events list and you'll want to ignore those too.
Alternately, click an event to go to the Event details page. Select Ignore option from the Actions menu.
Did you ignore an event by mistake? No worries. Easily restore any ignored event from the Ignored list.
Ignore an event and at the same time modify the monitoring profile rule or rules that triggered the event. Identify the event and then click the event to go to the Event details page. From the Actions menu, choose Ignore and Whitelist. This option is unavailable 1) for events for which incidents are created and 2) events that are created for the profiles rules that are imported from the profile library and profile rules for which you have set Rule Type as File.
You'll see a list of profiles and rules associated with the event and a new exclude filter for the target directory or file. Feel free to make changes to the exclude filter before saving it. Once you hit Save, we'll add the exclude filter to the selected profile rules. The event will be moved to the Ignored list and new events will not be generated for the excluded directory/file.
Search for events that are generated by the same process or user or for the same filename, file path or rule. Drill Down an event and on the Event details page, click the Actions menu on the top. Select Find similar events and then choose a filter to view events that matches the value of the filter for the selected event.
For example, choose the Process filter to view all the events that are generated by the same process as the current event.
Go to Events > Event Review to see the events that are waiting to be reviewed.
Enter your search query to find related changes that are part of the same incident, and click Create Incident. All events matching your query will be included in the incident. You'll have the opportunity to review the incident and decide if it's valid.