Display Deviant Events

You can zero in directly on deviant events in the Trail Flow table.

To display only deviant events:

1. In Tenable Identity Exposure, click Trail Flow to open the Trail Flow page.

2. Click the icon next to the Search box.

   The Edit Query Expression pane opens.

   

3. Click the Deviant only toggle to Allow.

4. Click Validate.

   Tenable Identity Exposure updates the Trail Flow table with a list of events with a red diamond next to the source.

   

   where:

• The Trail Flow detected a deviance in the Tenable Identity Exposure security profile.

• The Trail Flow detected a deviance in other security profiles.

• Shows that changes resolved the deviance.