Which element shows actions taken by monitored programs on computers?

The main idea here is about recording what programs actually do on endpoints. Events are the logs of concrete actions taken by monitored software, giving you a timeline of activity on a computer—things like a process starting, a file being created or modified, a registry change, or a network connection attempt. This makes events the best match for showing real actions performed by programs. Indicators are signals or attributes that might suggest something worth investigating (for example, a file hash or a suspicious domain), not the actions themselves. IOAs (indicators of attack) describe patterns that could indicate an attack, and there are statuses like Pending IOAs (not yet validated) and Archived IOAs (no longer active). So they describe signals or patterns rather than the actual actions, which is why they fit less well for “actions taken by monitored programs.”