The following information is displayed for each event in the Audit Events table. By default, the audit events for the current date are displayed.
This column displays the date and time the event was detected.
This column displays the name of the application.
This column displays the name of the requested resource. It appears blank when an attribute specifying the resource is not returned by the application.
This column displays the message associated with the event and, when applicable, the risk score assigned to the access attempt. If an override is in place for the user, the message notes that the risk score was overridden resulting in a score of 0 for the access attempt.
This column displays the risk policy that was evaluated.
This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
This column displays the IP address of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
On the Auditing page, there are two types of audit events displayed in the table related to each access attempt. The first event generated displays the risk score information for the audit event while the second displays whether authentication was successful. For more information, see To display details for an individual audit event.
|
NOTE: In some cases, if the user fails to enter valid credentials the authentication event message notes that it was a failed authentication and there will be no event details nor associated risk score event for the access attempt. |
When selected, a risk score event displays the following information and options:
The Conditions filter drop-down is used to select the type of information to display concerning the risk score. The following options are available:
Click this button to open the Policy Viewer dialog which displays the risk policy that was evaluated during the access attempt. Click Close to close the dialog and return to the Auditing page.
If there is no override currently assigned to the user, clicking this button opens the Add Override dialog. If there is an override currently assigned to the user, this option opens the Modify Override dialog. See Adding and managing overrides on the Auditing page for more information.
This displays the risk score, which is the combined value of the triggered conditions and modifiers.
Based on the condition filter specified, the left pane displays the conditions evaluated in the selected access attempt event.
The score listed to the right of a condition name is the score resulting from both the condition and any triggered modifiers. Use the expand properties button (right arrow) to the left of a condition name to also display any modifiers for that condition marked with an icon depicting their effect on the condition score ( for increased, for decreased, and for no effect).
Selecting a condition or modifier from the list populates the right-hand side of the panel with the settings information. From this section, you can select any of the items to display a brief explanation of why the condition score occurred and hovering over the icon displays information regarding the condition parameters.
When selected, an authentication event displays the following information and button:
This column displays whether authentication was successful.
This column displays the type of authentication used.
This column displays the authorization action taken by an application based on the risk score calculated by the Security Analytics Engine (for example, step up authentication may have been required due to a moderately high risk score).
This column summarizes why the access attempt failed or succeeded.
Click the Show Policy Evaluation button in this column to display information about the risk score associated with the authentication event.
|
NOTE: The Show Policy Details button is grayed out if incorrect credentials were entered during the access attempt. |
A summary of the information on the Auditing page (excluding any column filtering values) can be downloaded in order to save or print a list of the audit events appearing in the table.
Hover over the button at the bottom left of the Auditing page to display the following download options:
For more information, see To download audit events information.
The following procedure explains how to filter the events displayed in the Audit Events table. By default, the audit events for the current date are displayed.
|
NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center