What it does
Application Monitoring (TATER Manage → Endpoint Fleet → Application Monitoring) is the home for noisy, continuously-detected fleet signals. Instead of auto-filing thousands of help-desk tickets, every detection is kept as a deduplicated finding - a continuously-updated state you acknowledge, suppress, resolve, or explicitly promote to an Ops task when it genuinely needs help-desk lifecycle. The same findings queue is also available to technicians in TATER Ops → Workspace → App Monitoring; monitor definitions (create/toggle) are managed in TATER Manage.
It has two layers:
- Findings - "what we found", deduped on (org, source, device, resource). Repeat detections increment an occurrence count instead of creating duplicates.
- Monitors - "what to watch". Built-in monitors plus templated monitors you create and toggle on/off.
Findings - sources & lifecycle
Findings carry a severity, a source, the affected device, and a lifecycle state. Sources include:
| Source | Where it comes from |
|---|---|
onedrive | The OneDrive Sync Health built-in monitor (confirmed-degraded devices). |
kev | The CISA KEV Exposure built-in monitor (installed software matched to the Known Exploited Vulnerabilities catalog; 21-day BOD 25-01 SLA). |
monitor | Your templated agent monitors (service, process, port, disk, cert, BitLocker, scheduled task, custom script). |
eol / cve / sensor-alert / ... | Other detectors as they come online. |
Lifecycle: open → acknowledged → suppressed → remediated → superseded. A finding auto-reopens if the signal returns, and auto-clears (remediated) when the detector or agent reports the condition resolved. Findings have a 180-day TTL.
Built-in monitors
Two monitors are always present, seeded per organization. They are toggle-only (you can turn them off, but not delete them):
- OneDrive Sync Health - see the OneDrive Sync Health guide. Confirmed-degraded devices raise an
onedrivefinding. Turning this off stops new OneDrive findings. - CISA KEV Exposure - per-device installed software correlated against the CISA KEV catalog. Turning this off stops new
kevfindings.
Templated monitors
Create monitors from the Monitors tab → + Create Monitor. The TATER agent (v2.4.17+) evaluates each enabled monitor on its targeted devices every 15 minutes and reports pass/fail, which raises or clears a monitor finding.
| Type | Checks | Config | Platforms |
|---|---|---|---|
| Service Running | A Windows service / systemd unit is running | serviceName | Windows, Linux |
| Process Running | A named process is running | processName | Windows, Linux, macOS |
| Port Listening | A local TCP port accepts connections | port, host | all |
| Disk Free Space | Free space stays above a threshold | path, minFreePercent | all |
| Certificate Expiry | A LocalMachine\My cert is not near expiry | subjectMatch, warnDays | Windows |
| BitLocker Encryption | A drive is fully BitLocker-encrypted | drive | Windows |
| Scheduled Task Health | A task exists and ran recently / succeeded | taskName, maxAgeHours | Windows |
| Custom Script | Your PowerShell/bash returns the expected result | interpreter, script, successCriteria, expectOutput | all |
Custom-script bodies must be ASCII-only - non-ASCII characters corrupt the temp file the agent writes for evaluation.
The page
- Counts at the top (Open, KEV Exposure, SLA Breached, Due Soon, Acknowledged, Suppressed, Total) come from the live findings summary.
- Findings tab - every source as a row with severity/source pills, SLA badge, occurrence count, and per-finding actions: Ack, Suppress, Resolve, and To Task (promote to a TATER Ops task with full evidence). Filter by source, state, severity, and search.
- Monitors tab - every monitor with an ON/OFF toggle, plus Create Monitor (templated) and edit/delete for the ones you create.
Promote to an Ops task
Most findings should stay on the monitoring surface. When one genuinely needs help-desk lifecycle (assignment, SLA, comments), click To Task - it creates a linked TATER Ops task pre-filled with the finding evidence, priority derived from severity, and a back-link. Only do this when you want a person to own it.
Permissions
Auditor+ can view findings and monitors. Admin+ can acknowledge / suppress / resolve / promote findings, and create / edit / delete / toggle monitors.
MCP tools
Available on both the HTTP and stdio MCP servers:
list_monitoring_findings,get_monitoring_summary,acknowledge_monitoring_finding- the findings surface.list_monitors- list monitor definitions and their on/off state.create_monitor- create a templated monitor (Admin).toggle_monitor- enable/disable a monitor by id (Admin).
Activating templated monitors on the fleet
Built-in monitors (OneDrive, KEV) work immediately. Templated monitors require agent v2.4.17+ - the agent auto-updates at next restart (or push a fleet restart wave). Once updated, agents pick up enabled monitors within ~15 minutes.